There may be times you want to restrict your package dependency versions for various reasons. NPM ShrinkWrap is used for this purpose, and it’s especially helpful when you need to control the versions of nested packages.
The usage is pretty straightforward. All you need is to create a npm-shrinkwrap.json and specify the versions inside. Then the second time you run npm install
command, it will become replacement of your package-lock.json and get you the right package as you specified.
Let’s start with an example, I got this warning after merging a pull request for my current project from GitHub.
It suggests to update one of my dependency or it might be vulnerable.
But I have no clue where this dependency is. Let’s try to locate the package by running npm list marked
(notice you will need to run npm i
first to get you node_modules):
Great! Found it under textract – one of the dependencies in my package.json.
Next is to have shrinkwrap downloaded.
npm install shrinkwrap --save
Now, create a npm-shrinkwrap.json and put the following:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"dependencies": { | |
"textract": { | |
"version": "2.2.0", | |
"dependencies": { | |
"marked": { | |
"version": "0.3.9" | |
} | |
} | |
} | |
} | |
} |
Reinstall npm package and reissue npm list marked
:
Done! Successfully overwrite the version of textract sub-package.