Understanding NPM shrinkwrap

Question

Recently discovered npm-audit and on the first run it flagged a lot of vulnerabilities, mostly around packages and their dependencies.

Wanting to get these vulnerabilities resolved I have discovered npm shrinkwrap which allows me to specify what versions and its dependencies should use? That's how I see it anyway (Please correct me if wrong, here to learn).

One example I am trying to fix is the module hoek, in my package.json this is set as "hoek": "^5.0.3"

When I run npm shrinkwrap one of the dependencies has hoek set as version 2

"boom": {
  "version": "2.10.1",
  "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
  "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
  "requires": {
    "hoek": "2.x.x"
  },
  "dependencies": {
    "hoek": {
      "version": "2.16.3",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0="
    }
  }
},

I thought I could edit this and specify what version i want the dependency to use like so

  "boom": {
  "version": "2.10.1",
  "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
  "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
  "dev": true,
  "requires": {
    "hoek": "2.x.x"
  },
  "dependencies": {
    "hoek": {
      "version": "5.0.3",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-5.0.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
      "dev": true
    }
  }
},

However when I run npm shrinkwrap or npm install all this reverts to the original

How do I go about managing this? Is shrinkwrap the right choice or am I trying to do things with it I simply cannot?

Thanks

Which version of npm are you using? If it's npm@5 you may want to use `package.lock` (enabled by default unless shrinkwrap within project) instead of shrinkwrap. — k0pernikus, Jun 07 '18 at 15:01
For further information see: https://docs.npmjs.com/files/package-locks — k0pernikus, Jun 07 '18 at 15:02
@k0pernikus thank you. Is it possible then to lock the version of hoek then for a dependency, like the example in the question ? — Richlewis, Jun 07 '18 at 15:06
This is a good explanation of npm shrinkwrap https://stackoverflow.com/a/46132512/664054 — WhiteKnight, Oct 28 '21 at 09:46

Raja Sekar · Accepted Answer · 2018-06-07T14:43:17.993

16

NPM shrinkwrap is used to lock the dependency version in a project.

After installing packages using npm install or npm install package-name and updating your node_modules folder, you should run npm shrinkwrap

It will create new npm-shrinkwrap.json file with information about all packages you use and you have to commit the file.

Next time, when someone calls npm install, it will install packages from npm-shrinkwrap.json and you will have the same environment on all machines.

edited Jun 07 '18 at 14:43

answered Jun 07 '18 at 14:37

Raja Sekar

2,062
16
23

3

Thanks for answering Raja, however my problem is that after I have edited the `npm-shrinkwrap.json` and commited it, running `npm install` overides it – Richlewis Jun 07 '18 at 14:41
You should not edit npm-shrinkwrap.json, you have to auto generate it by running npm shrinkwrap. – Raja Sekar Jun 07 '18 at 14:43
1

I do have another question.. What is the point `shrinkwrap` when we have a `package.json` file ? How do they differ? – Richlewis Jun 07 '18 at 14:53
3

@Richlewis The accepted answer doesn't seem to answer your question. – divine Aug 11 '21 at 13:09
@Richlewis: Were you able to resolve this issue ?? I am facing same problem. Whenever i change version in npm-shrinkwrap.json file and do npm install. It reverts back to previous version only. Could you please help me ? – Pinki Sharma Nov 10 '21 at 07:12
@PinkiSharma the package.json is the source of truth. npm-shrinkwrap.json and package-lock.json are generated from that. You should change the version in your package.json, run `npm install` (which updates the package-lock.json) and then run `npm shrinkwrap` which will update your npm-shrinkwrap.json – bzzWomp Dec 08 '22 at 11:04
2

@RajaSekar I thought the purpose of "when someone calls npm install, it will install packages from npm-shrinkwrap.json and you will have the same environment on all machines." was `package-lock.json` Whats the difference between "npm-shrinkwrap.json" and "package-lock.json"? – Marc Mar 02 '23 at 17:03

score 2 · Answer 2 · answered Mar 02 '23 at 14:35

2

npm-shrinwrap.json is honored by npm publish - means it will be included into final package.

package.json will be ignored by npm publish and as result your final package will not have any means to "lock" package versions.

answered Mar 02 '23 at 14:35

Vitaliy Markitanov

2,205
1
24
23

Answer [checks out at docs.npmjs.com](https://docs.npmjs.com/cli/v9/commands/npm-shrinkwrap#description): "_This command repurposes package-lock.json into a publishable npm-shrinkwrap.json or simply creates a new one. The file created and updated by this command will then take precedence over any other existing or future package-lock.json files._" – ruffin Aug 01 '23 at 15:08

Understanding NPM shrinkwrap

2 Answers2