7

Recently discovered npm-audit and on the first run it flagged a lot of vulnerabilities, mostly around packages and their dependencies.

Wanting to get these vulnerabilities resolved I have discovered npm shrinkwrap which allows me to specify what versions and its dependencies should use? That's how I see it anyway (Please correct me if wrong, here to learn).

One example I am trying to fix is the module hoek, in my package.json this is set as "hoek": "^5.0.3"

When I run npm shrinkwrap one of the dependencies has hoek set as version 2

"boom": {
  "version": "2.10.1",
  "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
  "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
  "requires": {
    "hoek": "2.x.x"
  },
  "dependencies": {
    "hoek": {
      "version": "2.16.3",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0="
    }
  }
},

I thought I could edit this and specify what version i want the dependency to use like so

  "boom": {
  "version": "2.10.1",
  "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
  "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
  "dev": true,
  "requires": {
    "hoek": "2.x.x"
  },
  "dependencies": {
    "hoek": {
      "version": "5.0.3",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-5.0.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
      "dev": true
    }
  }
},

However when I run npm shrinkwrap or npm install all this reverts to the original

How do I go about managing this? Is shrinkwrap the right choice or am I trying to do things with it I simply cannot?

Thanks

Richlewis
  • 14,492
  • 34
  • 115
  • 258
  • Which version of npm are you using? If it's npm@5 you may want to use `package.lock` (enabled by default unless shrinkwrap within project) instead of shrinkwrap. – k0pernikus Jun 07 '18 at 15:01
  • For further information see: https://docs.npmjs.com/files/package-locks – k0pernikus Jun 07 '18 at 15:02
  • @k0pernikus thank you. Is it possible then to lock the version of hoek then for a dependency, like the example in the question ? – Richlewis Jun 07 '18 at 15:06
  • This is a good explanation of npm shrinkwrap https://stackoverflow.com/a/46132512/664054 – WhiteKnight Oct 28 '21 at 09:46

1 Answers1

11

NPM shrinkwrap is used to lock the dependency version in a project.

After installing packages using npm install or npm install package-name and updating your node_modules folder, you should run npm shrinkwrap

It will create new npm-shrinkwrap.json file with information about all packages you use and you have to commit the file.

Next time, when someone calls npm install, it will install packages from npm-shrinkwrap.json and you will have the same environment on all machines.

Raja Sekar
  • 1,984
  • 14
  • 23
  • 3
    Thanks for answering Raja, however my problem is that after I have edited the `npm-shrinkwrap.json` and commited it, running `npm install` overides it – Richlewis Jun 07 '18 at 14:41
  • You should not edit npm-shrinkwrap.json, you have to auto generate it by running npm shrinkwrap. – Raja Sekar Jun 07 '18 at 14:43
  • I do have another question.. What is the point `shrinkwrap` when we have a `package.json` file ? How do they differ? – Richlewis Jun 07 '18 at 14:53
  • 1
    @Richlewis The accepted answer doesn't seem to answer your question. – divine Aug 11 '21 at 13:09
  • @Richlewis: Were you able to resolve this issue ?? I am facing same problem. Whenever i change version in npm-shrinkwrap.json file and do npm install. It reverts back to previous version only. Could you please help me ? – Pinki Sharma Nov 10 '21 at 07:12