A node package named "-" being added to my package.json unintentionally?-CodePudding

A package called "-" has been added into my package.json file, unintentionally. I believe it is this package: https://www.npmjs.com/package/-

I was using ncu (https://www.npmjs.com/package/npm-check-updates) to upgrade some packages, then I noticed there is a new line added in the "dependencies"

 "dependencies": {
     "-": "^0.0.1"
     ...
}

I have no idea what it is. From its npm page, it says

Created using https://github.com/parzh/create-package-typescript

What is this "create-package-typescript"?

Apologise in advance if the question is too naive. I am new to web/javascript development.

CodePudding user response：

If you want to be completely certain what it is, don't bother with the links on the npm package page. They are generated from the project's README and metadata in package.json and can be anything. Instead, inspect the module's source code (since you already have it installed--if you didn't, I'd recommend grabbing the tar file and using that instead of installing it.

Here is the complete source code of the module:

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.default = null;

If you wanted to know what the module does, there's your answer.

If you wanted to make sure the module didn't do nefarious things on installation, then the thing to do is check the package.json for lifecycle scripts and possibly other things. Here's the package.json:

{
  "name": "-",
  "version": "0.0.1",
  "license": "UNLICENSED",
  "keywords": [],
  "main": "dist/index.js",
  "types": "dist/index.d.ts",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1",
    "start": "node --require ts-node/register src",
    "build": "tsc"
  },
  "devDependencies": {
    "@types/node": "13.9.0",
    "ts-node": "8.6.2",
    "typescript": "3.8.3"
  }
}

Nothing much going on in there. So I think we can rule out malware here.

As far as whether you need this functionality in your code, I kinda doubt it but only you can say.

It seems possible that someone published this as an experiment or in error. It also seems possible that it was installed in error. If you want to uninstall it and then test your code, you can do npm uninstall -. If that breaks things and you need to re-add it, npm install --ignore-scripts -.