3

In my nodejs project I had to modify 4 of the node modules and upload them to our private corporate registry so the project will download the modified versions during builds. I did this by changing the resolved field in package-lock.json for each dependency from our virtual npm registry which forwards downloads to the public npm registry to our private registry.

This is working for 3 out of the 4 modules, however 1 module, phantomjs-prebuilt, will not download the one I uploaded. When I view its package.json after installing, its _resolved field shows the correct private registry I entered in package-lock.json, but the module doesn't have my modifications.

If I create a test project with a package.json that has phantomjs-prebuilt as its only dependency and modify the lock file to download from the private registry it will download the correct modified version I uploaded. I'm assuming there must be some transitive dependency overriding it, but I thought I would be able to see that from the lock file and override it. phantomjs-prebuilt only appears once in my lock file and that's where I'm making the change to the resolved field.

gary69
  • 3,620
  • 6
  • 36
  • 50

1 Answers1

0

I had a similar issue myself, recently. This may not help you in particular if releasing as a different version is not an option, but maybe others who stumble across this answer like I did.

What I did was to release a forked version of a package, under a new version.

So, I forked moddle-xml 10.0.0, and released a package 10.0.1337 into our private registry in Artifactory.

That way, I could replace the transitive package dependencies of a package that we used with the forked version 10.0.1337 (using npm-force-resolutions), not breaking any constraints like ^10.0.0. EDIT: If you want to replace a particular outside version, I think you can work with exclusion / inclusion filters.

The Artifactory-based registry would then offer a single virtual registry containing both the npm-local packages (including my fork) and npm-remote packages (the normal stuff from the default registry) setup guide. I would configure my local setup to only download from that virtual registry.

The Artifactory setup comes with a few pitfalls (like, you have to give read permissions to all physical repositories (npm-local AND npm-remote), not just the virtual one, and this one), but it works fine for me now.

(I'm sure something like this is possible with other than the Artifactory implementation, this particular thing is just the stuff I know)

RobertG
  • 1,550
  • 1
  • 23
  • 42