node · npm

NPM shrinkwrap

NPM dependencies are not locked down by default. Even if you add top level dependencies with fixed version numbers in package.json, there is no guarantee that you will get the exact same code because the sub dependencies are not locked down.

This is where npm shrinkwrap comes into the picture.

Creating a new shrinkwrapped package

cd into your project directory root.

Install the current version of all the dependencies

$ npm install

Generate npm-shrinkwrap.json

$ npm shrinkwrap

Add and commit npm-shrinkwrap.json to git.

Check the more info section for some of the weirdness while using npm.

Updating an existing shrink wrapped package

$ npm install

Add/update a new package.
This will auto update both package.json and npm-shrinkwrap.json

$ npm install --save left-pad@1.1.2

Add and commit npm-shrinkwrap.json and package.json to git repo.

Deleting a dependency

npm uninstall --save left-pad

Take note that we’ve not used the exact version here. This is because doing that often creates problems if you don’t have exact dependency but are specifying a range with ~, ^ or other operators in your package.json.

Needless to say, please test your package before committing the changes.

More Info

Npm 3.10.7 and below ignore dev dependencies when generating npm-shrinkwrap.json. If you need to include dev dependencies also, use ‐‐dev flag.

Npm 3.10.8+ includes dev dependencies by default.

There is also an issue with installing fsevents dependency on Linux.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s