Stack Overflow
Stack Overflow

Questions tagged [npm-shrinkwrap]

npm shrinkwrap" is a command on npm CLI which is used as a deployment mechanism for locking down dependency versions for publication.

npm shrinkwrap is a deployment mechanism used by that recursively saves the exact version of every dependency's dependencies to a npm-shrinkwrap.json file.

Reference:

60 questions
205
votes
4 answers

What is the difference between npm-shrinkwrap.json and package-lock.json?

With the release of npm@5, it will now write a package-lock.json unless a npm-shrinkwrap.json already exists. I installed npm@5 globally via: npm install npm@5 -g And now, if a npm-shrinkwrap.json is found during: npm install a warning will be…
k0pernikus
  • 60,309
  • 67
  • 216
  • 347
131
votes
3 answers

How do I override nested dependencies with `yarn`?

If my package has these dependencies { "name": "my-package", "dependencies": { "foobar":"~1.0.3", "baz":"2.0.9" } And the foobar package has these dependencies { "name": "foobar", "dependencies": { "baz":"^2.0.0" } and the most recently…
Chris W.
  • 37,583
  • 36
  • 99
  • 136
35
votes
1 answer

NPM lockfiles/shrinkwrap get random "dl" parameter tacked on to the "resolved" URL

Our company uses an Artifactory repository for storing internally-published packages and as a proxy for the NPM registry. Sometimes the resolved field in lockfiles/shrinkwrap files is as expected, containing URLs for our internal repository, but…
Jacob
  • 77,566
  • 24
  • 149
  • 228
12
votes
2 answers

Understanding NPM shrinkwrap

Recently discovered npm-audit and on the first run it flagged a lot of vulnerabilities, mostly around packages and their dependencies. Wanting to get these vulnerabilities resolved I have discovered npm shrinkwrap which allows me to specify what…
Richlewis
  • 15,070
  • 37
  • 122
  • 283
7
votes
2 answers

react : NPM install fails

I tried installing a package in my react app using npm, and for some reason It fails: it shows the following error: npm ERR! Object for dependency "@babel/generator" is empty. npm ERR! Something went wrong. Regenerate the package-lock.json with "npm…
Developer Hub
  • 183
  • 3
  • 13
7
votes
1 answer

How to delete all nested keys with JQ

I would like to delete all the resloved from a npm shrinwrap json file. this is causing a problem when running npm install on other machine. "cssstyle": { "version": "0.2.37", "from": "cssstyle@>=0.2.29 <0.3.0", "resolved":…
Stranger B.
  • 9,004
  • 21
  • 71
  • 108
7
votes
1 answer

fsevents (pulled in by chokidar) in npm shrinkwrap causes build to fail on Windows

OSX only fsevents is listed in the npm shrinkwrap because it's pulled in by chokidar. Our production is Linux based and it didn't cause any trouble there, obviously OSX developers are fine too, but it broke npm install on my Win x64 environment. How…
Csaba Toth
  • 10,021
  • 5
  • 75
  • 121
7
votes
1 answer

How can I switch between a linked npm dependency (in development) and an installed dependency (in staging/prod)?

I have a custom npm module that I am working on, and it has a GitHub repo. I'm also working on a project that uses the custom module. When working on the larger project, it is nice to use npm link so I can make changes to the module and see them…
mherzig
  • 1,528
  • 14
  • 26
7
votes
3 answers

When to use shrinkwrap, npm-lockdown, or npm-seal

I'm coming from a background much more familiar with composer. I'm getting gulp (etc) going for the build processes and learning node and how to use npm as I go. It's very odd (again, coming from a composer background) that a composer.lock-like…
Nathan J.B.
  • 10,215
  • 3
  • 33
  • 41
6
votes
0 answers

npm-shrinkwrap.json appends ?dl=https://registry.npmjs.org/... to all "resolved" properties

When I am using the command npm install all resolved properties of npm-shrinkwrap.json append ?dl=https://registry.npmjs.org/. Example ..., "@types/hammerjs": { "version": "2.0.35", "resolved":…
Laurent Jacquot
  • 591
  • 5
  • 7
6
votes
1 answer

Updating an indirect dependency in shrinkwrapped project

Is there a good way with npm (I'm on npm@5) to do a version bump for a nested dependency in a shrinkwrapped/lockfiled project? Doing an npm install package@latest --save will update the shrinkwrap file as expected, but it also adds the dependency…
Jacob
  • 77,566
  • 24
  • 149
  • 228
6
votes
1 answer

npm update packages recursively

I have a project like this I want to update all private_mod version (root and nested levels) to 1.3.2. Is there a npm way to do so? Note: Each dependecy (dep-1, dep-2, dep-3) have their own package.json One way that I can think of doing is: -…
rohit12sh
  • 827
  • 2
  • 11
  • 24
5
votes
0 answers

How to extract the closest node.js version used from existing package-lock.json?

My package-lock.json and package.json do not specify the node.js version used to generate the package-lock.json in my repo. I can iterate over node versions using nvm to see which one yeilds minimal git diff to the previous package-lock file in my…
Sohail Si
  • 2,750
  • 2
  • 22
  • 36
4
votes
1 answer

How to use npm-shrinkwrap with workspaces?

I have a monorepo project, with one of the packages being a cli. And to prevent npm supply chain attack I am thinking of using npm-shrinkwrap. The documentation here says: The recommended use-case for npm-shrinkwrap.json is applications deployed…
dade
  • 3,340
  • 4
  • 32
  • 53
4
votes
1 answer

reduce size of node_modules for production

I created node_modules for uploading addon to online site from localhost with help of ngrok and using npm install in CommandPrompt. But the created node_modules folder size was 78mb. In that case i must reduce the size by removing the unwanted…
Hari Prasath
  • 111
  • 1
  • 2
  • 8
1
2 3 4