Locate npm packages

As supply chain attacks are now a weekly occurrence on widely distributed packages, and we can have these installed as transitive dependencies of tools we use but not develop, here’s a quick fish function for OS X systems to scan for a given package (depends on fd):

function npm_find
    if test (count $argv) -lt 1
        echo "Usage: npm_find <package> [directory]"
        return 1
    end

    set package $argv[1]
    if test (count $argv) -ge 2
        set dirs $argv[2]
    else
        set dirs /Users /opt /usr /Applications
    end

    fd "node_modules/$package/package\.json\$" $dirs --full-path \
        -x jq -r '"\(input_filename): \(.version)"'
end

Also:

• Remember to set minimum age for releases in uv, pnpm, …
• Remember to set ignore-scripts=true in npm and use pnpm which does it by default