Menu
I'm authoring a package A which I want to publish to NPM.
A has a dependency on package B, which in turn has a dependency on package C. C then has two optional native dependencies D and E. I know for definite I have no use for the optional dependencies, D and E, and NEVER want to try and install them when someone installs my package.
I know you can use the command npm install A --no-optional -g to install the package without optional dependencies, but this would be knowledge/overhead that I'd rather consumers of the package not need.
Is there any npm config or workaround where consumers of package A can just npm install A or npm install -g A and optional dependencies will never be installed?
Thanks
893
By default, npm install will install all modules listed as dependencies in package. json . With the --production flag (or when the NODE_ENV environment variable is set to production ), npm will not install modules listed in devDependencies .
If the nested dependency (with vulnerability) is already fixed but the main dependency isn't, you can use overrides field of package. json as explained in StackOverflow answer. You'll need a recently new version of npm cli v8. 3.0 (2021-12-09) which comes with Node.
See npm-folders(5) . The --link argument will cause npm to link global installs into the local space in some cases. The --no-bin-links argument will prevent npm from creating symlinks for any binaries the package might contain. The --no-optional argument will prevent optional dependencies from being installed.
npm install A --no-optional
Test to see if everything works.
npm list
Make sure you have no errors.
npm shrinkwrap
That will lock down the dependencies for the packages.
That way npm install will look into npm-shrinkwrap.json before trying to install dependencies.
You can read more about it here https://docs.npmjs.com/cli/shrinkwrap
189
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
