16

I have a large, existing package-lock.json and a lot of dependencies that have been resolved via http://registry.npmjs.org/.

e.g.

{
  "name": "my-package",
  "version": "1.2.3",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "@babel/cli": {
      "version": "7.7.4",
      "resolved": "https://registry.npmjs.org/@babel/cli/-/cli-7.7.4.tgz",
      "integrity": "sha512-O7mmzaWdm+VabWQmxuM8hqNrWGGihN83KfhPUzp2lAW4kzIMwBxujXkZbD4fMwKMYY9FXTbDvXsJqU+5XHXi4A==",
      "dev": true,
      "requires": {
        "chokidar": "^2.1.8",
        "commander": "^4.0.1",
        "convert-source-map": "^1.1.0",
        "fs-readdir-recursive": "^1.1.0",
        "glob": "^7.0.0",
        "lodash": "^4.17.13",
        "make-dir": "^2.1.0",
        "slash": "^2.0.0",
        "source-map": "^0.5.0"
      },
      "dependencies": {
        "commander": {
          "version": "4.0.1",
          "resolved": "https://registry.npmjs.org/commander/-/commander-4.0.1.tgz",
          "integrity": "sha512-IPF4ouhCP+qdlcmCedhxX4xiGBPyigb8v5NeUp+0LyhwLgxMqyp3S0vl7TAPfS/hiP7FC3caI/PB9lTmP8r1NA==",
          "dev": true
        },
        "make-dir": {
          "version": "2.1.0",
          "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-2.1.0.tgz",
          "integrity": "sha512-LS9X+dc8KLxXCb8dni79fLIIUA5VyZoyjSMCwTluaXA0o27cCK0bhXkpgw+sTXVpPy/lSO57ilRixqk0vDmtRA==",
          "dev": true,
          "requires": {
            "pify": "^4.0.1",
            "semver": "^5.6.0"
          }
        },
        "pify": {
          "version": "4.0.1",
          "resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
          "integrity": "sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g==",
          "dev": true
        },
        "source-map": {
          "version": "0.5.7",
          "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
          "integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w=",
          "dev": true
        }
      }
    },
    ...

I have my registry configured to be an NPM Enterprise installation that hosts proprietary NPM packages and mirrors the public NPM registry.

registry = "https://custom.registry.tld/path/npm/npm-aggregate"

This works for newly installed packages, but many existing packages still point to the public NPM registry. I tried overwriting the package-lock.json using npm i or npm i --package-lock-only.

How can I force NPM to use my Enterprise NPM registry and write the correct resolved URLs to package-lock.json? I probably could just "find and replace", but I want to make sure that NPM is resolving dependencies correctly.

mitchkman
  • 6,201
  • 8
  • 39
  • 67
  • 3
    We've had the same issue not a while back. What we end up doing is changing the registry url manually, removing `node_modules` and running `npm i` again to check that it works. – Dimkin Jan 25 '21 at 10:15
  • 1
    I just think `package-lock.json` has been designed to hardcode the registry. Could it be to avoid package collision if 2 registries own 2 different packages with the same name? It bother me for the exact same reason as you. I didn't find a solution so far – Gabriel Jun 17 '22 at 09:24
  • Wouldn't a simple search & replace in `package-lock.json` be enough? – chkpnt Sep 22 '22 at 06:43

5 Answers5

10

I am running npm -v 6.14.15

I simply changed the registry entries manually in the package-lock.json and deleted the node_modules folder, then ran an npm i to solve this issue.

Some solutions that didn't work for me:

When I tried to change the registry simply using the npm CLI by clearing the cache npm cache clear --force, and npm i --registry none of this worked. The registry didn't change at all, and in fact was reverted after running npm i in any form.

I then tried to remove the package-lock.json and node_modules and ran an install. This caused a lot of versions in my package-lock.json to change and caused my particular projects builds to fail.

I found that the steps I followed got what I wanted although it may not be a part of best practices with npm.

Khalah Jones - Golden
  • 177
  • 1
  • 6
  • What's the point to have a lock file, if you don't use it? if you run `npm i`, you will update the lock file if you run `npm ci`, you will use the lock file – Gabriel Jun 17 '22 at 08:33
  • 1
    @Gabriel the request here is to use the new repository without changing the version numbers. It appears npm does not provide any solution for that, so manually updating the `package-lock.json` appears to be the only solution. – Didier L Aug 23 '22 at 14:34
6

Unfortunately, the package-lock.json file is meant to hardcode the registry of each package. It is intended.

We could imagine a future option in NPM to force the registry, in combination with an integrity check to make sure the packages are identical. (Feel free to send a feature request to the core team)

As of today, npm does not cover this use case. You are forced to ignore the package-lock.json to bypass this limitation.

(as of today, the latest version of NPM is 8.13.2)

Gabriel
  • 3,633
  • 1
  • 23
  • 13
3

Overriding the registry will not replace existing "resolved": "https://xxx..." entries in the package-lock.json.

If this one is wrong from a previous creation, you have to delete it, then run again your npm i. It will create a fresh one with the registry previously configured.

Pierre-Alain EMO
  • 103
  • 6
  • I initially downvoted this answer, but I changed my mind. Unfortunately, it is too late to change my vote. – Gabriel Jul 01 '22 at 09:55
  • 2
    The problem from deleting the file is that you will lose the version numbers that you initially had, so it will do more than changing the URL’s. – Didier L Aug 23 '22 at 14:37
0
  1. Find/replace registry in package-lock
  2. Delete node_modules
  3. Verify npm install works
JBallin
  • 8,481
  • 4
  • 46
  • 51
0

It is possible to force the "resolved" and "integrity" fields to be regenerated by

  • Edit package-lock.json and remove all the "resolved" and "integrity" properties.
  • Clear npm cache :npm cache clean --force
  • Run npm install

You should now have a package-lock.json with fresh resolved and integrity properties yet all the dependencies version should be unchanged.

Yacine Zalouani
  • 7,999
  • 6
  • 25
  • 24