Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Understanding NPM shrinkwrap

Recently discovered npm-audit and on the first run it flagged a lot of vulnerabilities, mostly around packages and their dependencies.

Wanting to get these vulnerabilities resolved I have discovered npm shrinkwrap which allows me to specify what versions and its dependencies should use? That's how I see it anyway (Please correct me if wrong, here to learn).

One example I am trying to fix is the module hoek, in my package.json this is set as "hoek": "^5.0.3"

When I run npm shrinkwrap one of the dependencies has hoek set as version 2

"boom": {
  "version": "2.10.1",
  "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
  "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
  "requires": {
    "hoek": "2.x.x"
  },
  "dependencies": {
    "hoek": {
      "version": "2.16.3",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0="
    }
  }
},

I thought I could edit this and specify what version i want the dependency to use like so

  "boom": {
  "version": "2.10.1",
  "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
  "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
  "dev": true,
  "requires": {
    "hoek": "2.x.x"
  },
  "dependencies": {
    "hoek": {
      "version": "5.0.3",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-5.0.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
      "dev": true
    }
  }
},

However when I run npm shrinkwrap or npm install all this reverts to the original

How do I go about managing this? Is shrinkwrap the right choice or am I trying to do things with it I simply cannot?

Thanks

like image 774
Richlewis Avatar asked Jun 07 '18 14:06

Richlewis


1 Answers

NPM shrinkwrap is used to lock the dependency version in a project.

After installing packages using npm install or npm install package-name and updating your node_modules folder, you should run npm shrinkwrap

It will create new npm-shrinkwrap.json file with information about all packages you use and you have to commit the file.

Next time, when someone calls npm install, it will install packages from npm-shrinkwrap.json and you will have the same environment on all machines.

like image 53
Raja Sekar Avatar answered Sep 19 '22 18:09

Raja Sekar