Check npm package dependencies size, licenses and impact on your package before installing it 🤔

If you like it, please, ⭐️ this repo!
npm install -g npm-consider
Note: this tool is more useful when you colleagues also use it 😉
Add new dependency
npm-consider has similar arguments as npm install
npm-consider install --save express
The command recursively requests packages info from npm and builds dependencies graph. Size of the package determined via HEAD request to tarball download URL.
Analyze local package
When called without arguments in package directory it builds dependency graph and calculate metrics for local package
npm-consider install
Using for automation and continuous integration
You can specify maximum values of size and number as well as allowed license types in config of your package.json.
"config": {
"maxPackagesNumber": 100,
"maxSizeBites": 840400,
"allowedLicenseTypes": [
"permissive",
"publicDomain",
"uncategorized"
]
}
Once provided you can call
npm-consider install --test

If all limits are satisfied command will exit with code=0; otherwise code=1.
Note: in this mode, npm-consider will not call npm install or yarn install.
Supported properties:
maxPackagesNumber max number of npm dependencies incuding transitive dependenciesmaxSizeBites max size of downloaded packages in bitesallowedLicenseTypes what types of dependency licenses are accpetable for the packageSupported types are publicDomain, permissive, weaklyProtective, protective, networkProtective, uncategorized.
If you are not sure which license types are appropriate check this artice.
If project contains yarn.lock file, then npm-consider will do yarn add with corresponding options.
npm-consider calculates license type for every dependency. The type defines license policy for linking as a librtary. Data collected from Comparison of free and open-source software licenses on Wikipedia.
Public Domain and Permissive license allows you to do anything except sue the authorWeakly Protective license have restriction to how can it be linked and combined with other licensesProtective or Copyleft dependency license requires dependent module to have a free license, which prevents it from being proprietaryNetwork Protective same as Protective but also triggers with network interactionUncategorized means that license was not found in a package info or was not categorised in terms of linking; feel free to contribute to license categorisation;Note: that even permissive licenses have some restrictions. Check the following slide and article to learn about license compatibility:

The Free-Libre / Open Source Software (FLOSS) License Slide
npm install with the same arguments--save or --save-dev option. The second one takes into account already installed dependencies and devDepenedencies.npm install; no changes in your project will apply.$ claude mcp add npm-consider \
-- python -m otcore.mcp_server <graph>