0

I'm using npm-shrinkwrap to lock down my project dependencies.

However I'm running into one issue. It seems as though if you remove a dependency from the npm-shrinkwrap.json then node backs on to the original tree dependency resolution via package.json. I tested this by deleting an entry in my npm-shrinkwrap.json and noticing that it still turned up in node_modules after an npm install.

My concern here is that someone unwittingly use npm intall --save-dev to add a new dependency to the project but forgets to update the npm-shrinkwrap.json. You're then in a position where potentially you're introducing variable dependencies into the project that may change from developer to developer or CI server, which it seems is what npm shrinkwrap is designed to prevent.

My question is whether I'm right in this assertion, or misunderstanding the behaviour somehow, or if correct, is there something I can do to force npm install to use only the npm-shrinkwrap.json dependencies and ignore what's in package.json. It occurs to me I could work around this by deleting the dependencies in package.json after producing the npm-shrinkwrap.json, but obviously this is not ideal.

Rhys
  • 1,439
  • 1
  • 11
  • 23
  • Leaving this as a comment rather than an answer because it doesn't *reaaaally* answer your question, but have you looked at [Yarn](https://yarnpkg.com/en/)? I've found the lockfiles in that to be a million times easier to deal with than trying to shrinkwrap in NPM. – Joe Clay Feb 24 '17 at 16:43
  • Having a look at it. It's about 50-50 atm on whether I try and wedge Yarn into our tool chain or persevere with shrinkwrap with a CI server build step that runs shrinkwrap-check on postinstall to validate that the package.json and shrinkwrap.json are in sync. – Rhys Feb 25 '17 at 17:10
  • The baggage with moving to Yarn is ensuring all the devs use instead of npm, and also making it work on the CI server that doesn't have Yarn installed on the VMs, which means having to drag it in per-build via npm and then use it, which is a bit cumbersome. – Rhys Feb 25 '17 at 17:11
  • Incidentally, I believe npm 4.x solves this by using *only* the shrinkwrap.json if it's available, however forcing the CI server and devs who may have other versions installed to use 4.x is also tricky. – Rhys Feb 25 '17 at 17:25
  • Yeah, it's definitely a trade-off whether or not the benefits of switching to Yarn outweigh the hassle of standardizing on it - I'm still in the phase of trying to convince my employers to use either at all, so you're probably a lot more qualified to make that call :p Good luck! – Joe Clay Feb 25 '17 at 23:35

0 Answers0