This section has been added for the benefit of developers needing to do any work on the utility.
Tom Hyde - repo administrator
Ian French - latest developer to do any work on the utility
Clone the repo: git clone https://github.com/NewOrbit/twotime.git
Change directory to the cloned repo, install dependencies and sanity-check the build, e.g. from PowerShell:
PS> cd twotime
PS> npm install
PS> npm run prepublishOnly
- From the root of the repo, i.e. the same folder as this README:
- Ensure the
package.jsonfile contains the correct name and version. - Delete the
binfolder if you've made significant changes or deleted any source file. npm run build, thennpm run lint, thennpm run test.
There are several new scripts added to package.json to enable running the utility with one of the arguments, for example starting a timer:
PS> npm run start
Other features can be tested by running node directly, for example:
PS> node bin/src/index.js --help
PS> node bin/src/index.js pause
This will be done manually when necessary, rather than tying it to a DevOps pipeline.
- Ensure you have enough privileges to add a package to the NewOrbit registry.
- The npm package
vsts-npm-authshould already be installed as part of a generalnpm install. Otherwise install it manually by usingnpm install vsts-npm-auth - Unless you already have this all set up, add a
.npmrcfile to the project in the same directory as package.json with the following contents:(This file must be ignored by git as it will contain an unencrypted authentication token.)registry=https://registry.npmjs.org/ @neworbit:registry=https://pkgs.dev.azure.com/neworbit/_packaging/NewOrbit/npm/registry/ always-auth=true - Run vsts-npm-auth to get an Azure Artifacts token added:
npx vsts-npm-auth -config .npmrc. Note:- You don't need to do this every time. npm will give a 401 unauthorized error when you need to run it again.
- You should get an email entitled "Azure DevOps personal access token added".
- Publish the package with
npm publish. Check it exists in NewOrbit internal artefacts.
The codebase was very old and most library dependencies were hugely behind current versions. In January 2025, a npm audit reported 85 vulnerabilities (1 low, 22 moderate, 50 high, 12 critical). Most were centred on the harvest package which looks like it's been abandoned. Ian F updated everything to more modern versions as part of a piece of work to tighten up the reporting of task time-remaining. Several old libraries such as moment were factored out.
There are currently no vulnerabilities reported by npm audit, or on packaging the utility.
However, not all of the dependent packages could be upgraded to the latest versions due to run-time problems, specifically ERR_REQUIRE_ESM errors. There was not enough time in the project to see if this can be addressed - none of these has any security vulnerabilities. A npm outdated command gave the following output as of end Jan 2025:
Package Current Wanted Latest Location Depended by
-------- ------- ------ ------ ------------------------------------------------ -----------
@types/inquirer 7.3.3 7.3.3 9.0.7 node_modules/@types/inquirer twotime
@types/inquirer-autocomplete-prompt 1.3.5 1.3.5 3.0.3 node_modules/@types/inquirer-autocomplete-prompt twotime
chalk 4.1.2 4.1.2 5.4.1 node_modules/chalk twotime
configstore 4.0.0 4.0.0 7.0.0 node_modules/configstore twotime
inquirer 8.2.6 8.2.6 12.3.2 node_modules/inquirer twotime
inquirer-autocomplete-prompt 2.0.1 2.0.1 3.0.1 node_modules/inquirer-autocomplete-prompt twotime
Delete the public package! At the moment this isn't possible as there are several owners who have left the company.
If possible, enable the use of the latest package versions as explained above.