Menu
I have a large, existing package-lock.json and a lot of dependencies that have been resolved via http://registry.npmjs.org/.
e.g.
{
"name": "my-package",
"version": "1.2.3",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"@babel/cli": {
"version": "7.7.4",
"resolved": "https://registry.npmjs.org/@babel/cli/-/cli-7.7.4.tgz",
"integrity": "sha512-O7mmzaWdm+VabWQmxuM8hqNrWGGihN83KfhPUzp2lAW4kzIMwBxujXkZbD4fMwKMYY9FXTbDvXsJqU+5XHXi4A==",
"dev": true,
"requires": {
"chokidar": "^2.1.8",
"commander": "^4.0.1",
"convert-source-map": "^1.1.0",
"fs-readdir-recursive": "^1.1.0",
"glob": "^7.0.0",
"lodash": "^4.17.13",
"make-dir": "^2.1.0",
"slash": "^2.0.0",
"source-map": "^0.5.0"
},
"dependencies": {
"commander": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/commander/-/commander-4.0.1.tgz",
"integrity": "sha512-IPF4ouhCP+qdlcmCedhxX4xiGBPyigb8v5NeUp+0LyhwLgxMqyp3S0vl7TAPfS/hiP7FC3caI/PB9lTmP8r1NA==",
"dev": true
},
"make-dir": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/make-dir/-/make-dir-2.1.0.tgz",
"integrity": "sha512-LS9X+dc8KLxXCb8dni79fLIIUA5VyZoyjSMCwTluaXA0o27cCK0bhXkpgw+sTXVpPy/lSO57ilRixqk0vDmtRA==",
"dev": true,
"requires": {
"pify": "^4.0.1",
"semver": "^5.6.0"
}
},
"pify": {
"version": "4.0.1",
"resolved": "https://registry.npmjs.org/pify/-/pify-4.0.1.tgz",
"integrity": "sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g==",
"dev": true
},
"source-map": {
"version": "0.5.7",
"resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
"integrity": "sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w=",
"dev": true
}
}
},
...
I have my registry configured to be an NPM Enterprise installation that hosts proprietary NPM packages and mirrors the public NPM registry.
registry = "https://custom.registry.tld/path/npm/npm-aggregate"
This works for newly installed packages, but many existing packages still point to the public NPM registry. I tried overwriting the package-lock.json using npm i or npm i --package-lock-only.
How can I force NPM to use my Enterprise NPM registry and write the correct resolved URLs to package-lock.json? I probably could just "find and replace", but I want to make sure that NPM is resolving dependencies correctly.
773
I am running npm -v 6.14.15
I simply changed the registry entries manually in the package-lock.json and deleted the node_modules folder, then ran an npm i to solve this issue.
Some solutions that didn't work for me:
When I tried to change the registry simply using the npm CLI by clearing the cache npm cache clear --force, and npm i --registry none of this worked. The registry didn't change at all, and in fact was reverted after running npm i in any form.
I then tried to remove the package-lock.json and node_modules and ran an install. This caused a lot of versions in my package-lock.json to change and caused my particular projects builds to fail.
I found that the steps I followed got what I wanted although it may not be a part of best practices with npm.
162
answered Nov 18 '25 18:11
Unfortunately, the package-lock.json file is meant to hardcode the registry of each package. It is intended.
We could imagine a future option in NPM to force the registry, in combination with an integrity check to make sure the packages are identical. (Feel free to send a feature request to the core team)
As of today, npm does not cover this use case. You are forced to ignore the package-lock.json to bypass this limitation.
(as of today, the latest version of NPM is 8.13.2)
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
