Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When to use shrinkwrap, npm-lockdown, or npm-seal

Tags:

npm

npm-shrinkwrap

I'm coming from a background much more familiar with composer. I'm getting gulp (etc) going for the build processes and learning node and how to use npm as I go.

It's very odd (again, coming from a composer background) that a composer.lock-like manifest is not included by default. Having said that, I've been reading documentation on [shrinkwrap], [npm-lockdown], and [npm-seal]. ...and the more documentation I read, the more confused I become as to which I should be choosing (everyone thinks their way is the best way). One of the issues I notice is that npm-seal hasn't changed in 4 years and npm-lockdown in 8 months -- this all leads me to wonder if this because it's not needed with the newest version of npm...

  1. What are the benefits / drawbacks of each?
  2. In what cases would I use one over another in Project A, but use a different one in Project B?
  3. How will each impact our development workflow?

PS: Brownie points if you include the most basic implementation example for each. ;)

like image 550
Nathan J.B. Avatar asked Jan 10 '16 03:01

Nathan J.B.

People also ask

Should I use npm shrinkwrap?

NPM shrinkwrap also helps you use same package versions on all environments (development, staging, production) and also improve download and installation speed. Having same versions of packages on all environments can help you test systems and deploy with confidence.

What is npm shrinkwrap vs package lock?

package-lock. json is never published to npm, whereas npm-shrinkwrap is by default. package-lock. json files that are not in the top-level package are ignored, but shrinkwrap files belonging to dependencies are respected.

What is use of npm shrinkwrap json?

json , npm-shrinkwrap. json may be included when publishing a package. The recommended use-case for npm-shrinkwrap. json is applications deployed through the publishing process on the registry: for example, daemons and command-line tools intended as global installs or devDependencies .

1 Answers

npm shrinkwrap is the most standard way how to lock your dependencies. And yes, npm install does not create it by default which is a pity and it is something that npm creators definitely should change.

npm-lockdown is trying to do the same things as npm shrinkwrap, there are two minor points in which npm-lockdown is better: it handles optional dependencies better and it validates checksums of the package:

https://www.npmjs.com/package/lockdown#related-tools

Both these features seem not so relevant for me; I'm quite happy with npm shrinkwrap: For example, npmjs guarantees that once you upload certain package at certain version, it stays immutable - so checking sha checksums is not so hot (I've never encountered an error caused by this).

seal is meant to be used together with npm shrinkwrap. It adds the 'checksum checking' aspect. It looks abandoned and quite raw.

like image 67
Tomas Kulich Avatar answered Sep 17 '22 18:09

Tomas Kulich
Sign in to Comment

Related questions

Permission denied when running npm dist
How do I force npm to reinstall a single package, even if the version number is the same?
How setup.py install npm module?
Error on installing angular/cli - not found: python2
npm not showing in VS2017
node_modules breaks build in Visual Studio
node-v59-linux-x64/grpc_node.node is missing
Installing NPM packages in angular 6 workspace
I keep getting `errno 4058` from npm
Upgrading to Babel-loader 8 from 7? What do I need to change?
React: npm start - windows cannot find localhost
'yarn' is not recognized as an internal or external command, operable program or batch file
NPM install issues Ubuntu 11.04 [closed]
Is there a module for getting user input from the command line in node.js?
Cannot make npm install -g work for my package
How can I diagnose why `npm publish` quietly does... nothing?
What does the --save-dev option mean in npm install? [duplicate]
grunt fails, "cannot find module 'tmp'"
Check if website is contactable
how to avoid large numbers from converting to Exponential in nodejs excel file read

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!