1

I'm struggling to find out why npm resolve the domain name of my npm registry to hardcode IP in package-lock.json

that's a sample:

"@poney/common-client": {
  "version": "1.1.0",
  "resolved": "http://10.10.9.9:4873/@poney%2fcommon-client/-/common-client-1.1.0.tgz",
  "integrity": "sha512-74uRCouKfwGNVAtgzwoutdfpoi0xl4CXipgXI4zTQC1BanTNrvc5fGOrkEOjzkKAVAwrHDwx41hJQ=="
},

Can't find it in npm documentation, any idea ?
I use a local npm registry called verdaccio as registry for home packages and as cache for public upstream pacakages.

Mickael Brangeon
  • 79
  • 1
  • 7

1 Answers1

0

If you are using npm most likely you would need to deal with this issue, which is not an issue, it is by design. npm is currently discussing this topic.

A possible workaround if you insist using npm, it is create a script to replace the resolved fields in the lock file, I ignore the side-effects of that approach, but I wouldn't do it.

My suggestion, you could use other package manager as pnpm or yarn2+ due they don't include the resolved field anymore. You could read a writing I did few years ago regarding this topic.

https://verdaccio.org/de-de/blog/2018/09/06/verdaccio-and-deterministic-lock-files/

Juan Picado
  • 1,823
  • 18
  • 33