Menu
Is there a good way with npm (I'm on npm@5) to do a version bump for a nested dependency in a shrinkwrapped/lockfiled project?
Doing an npm install package@latest --save will update the shrinkwrap file as expected, but it also adds the dependency to package.json, which is not what I want. Doing an npm install --no-save package@latest will properly skip updating package.json, but it also won't update the shrinkwrap file.
Is there a simple way to update the sub-dependency and shrinkwrap file without touching package.json?
312
Adding or Updating Dependencies Manually You can point your package. json file to that specific version of the dependency and run the npm install command to install only that version of the dependency in your project. Let's say you want to use react-router-dom 4.2. 2 instead of the latest version.
If the nested dependency (with vulnerability) is already fixed but the main dependency isn't, you can use overrides field of package. json as explained in StackOverflow answer. You'll need a recently new version of npm cli v8. 3.0 (2021-12-09) which comes with Node.
The workaround I most often use is a two-step process:
npm i --no-save subdependency@latest && npm shrinkwrap --dev
This is not ideal, but it works. Hopefully someone else has a one-step solution.
Update:
Nowadays, I do this:
npm i --save subdependency@latest && npm uninstall --save subdependency
...which is also annoying.
98
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With