npm-force-resolutions not working when installing a new package

Asked 30/10, 2020 at 9:34 Answered 19/11, 2021 at 12:22

node.js npm dependencies npm-install npm-scripts

I'm using the scripts section of the package.json to force resolutions:

"preinstall": "npx npm-force-resolutions"

in the resolutions section, I have entered graceful-fs with a specified version:

"resolutions": {
  "graceful-fs": "^4.2.4",
},

When i run npm i everything is installed correctly, the set versions are taken in to account. But later on when I install an additional module, e.g. npm i random-package, my set versions are being thrown away and I endup with [email protected] and other low versions in some dependencies.

If I clear the node_modules folder and run npm i again, everything is alright again.

I also tried setting the resolution more specific, like

"resolutions": {
  "glob/**/graceful-fs": "^4.2.4",
},

but this doesn't help.

I also tried:

adding the module as dependency, devDependency or peerDependency
using a shrinkwrap and overriding it there

but no luck.

what am I missing?

Placencia answered 30/10, 2020 at 9:34 Comment(3)

Hey, any chance you found the solution? I experience the same problem – Representation 11/1, 2021 at 13:38

I don't think there is no other way around it until you move away from those packages that depend on it or those packages get updated. – Rufusrug 12/1, 2021 at 19:4

I don't have an answer, but I can save you some time. What works for me - I don't have to clear node_modules folder after installing the package. All I have to do is type npm i afterwards and it does the fixes. Still annoying, but at least you don't have to clear the entire folder first. – Backstroke 26/5, 2021 at 16:29

The best solution for me to automate this was modifying preinstall script as above:

"preinstall": "npm install --package-lock-only --ignore-scripts && npx npm-force-resolutions",

Enabling answered 8/5, 2021 at 10:3 Comment(1)

More discussion about this workaround can be found here. – Terat 4/8, 2021 at 15:49

Best way is to change the preinstall script to this:

"preinstall": "([ ! -f package-lock.json ] && npm install --package-lock-only --ignore-scripts --no-audit); npx npm-force-resolutions"

This will only run npm install to create your initial package-lock.json when it does not exist yet.
This is much faster than always running both (npm + npx).

As of npm 8.3.0, you can also use npm's override:

{
  "overrides": {
    "graceful-fs": "^4.2.4"
  }
}

Anselmi answered 23/6, 2021 at 7:14 Comment(4)

This is the best solution that I have found for this. Thank you. – Terchie 23/9, 2021 at 22:8

I've found that with extreme cases (specifying a tarball version à la https://mcmap.net/q/67958/-how-to-override-a-nested-npm-sub-dependency-with-a-different-package-altogether-not-just-different-package-version-number) the preinstall route didn't work and ended up running npx npm-force-resolutions manually and pushing the changed lockfile – Giselagiselbert 12/11, 2021 at 9:49

is this a unix-only solution? – Workbench 6/4, 2023 at 19:12

The 'override' isn't, the 'preinstall' script is. – Anselmi 7/4, 2023 at 7:18

in the resolutions section, you must fix version

"resolutions": {
  "graceful-fs": "4.2.4",
},

Biathlon answered 10/5, 2021 at 12:57 Comment(0)

Hi @NthDegree the only way which worked for me was to first run the normal npm install and then add the packages-lock.json file to git. After doing that when you add "preinstall": "npx npm-force-resolutions", it always updates the dependency resolution to the version mentioned.

I am not sure if adding packages-lock.json file to git is good or bad but by using this method the CI/CD pipeline works as well.

Execrative answered 14/12, 2020 at 14:46 Comment(2)

Definitely add package-lock.json file to git – Invalidity 3/5, 2021 at 18:19

packages-lock.json is meant to be in source control. See https://mcmap.net/q/40508/-do-i-commit-the-package-lock-json-file-created-by-npm-5 Furthermore, see my answer for a minor tweak to the preinstall script solving the 'packages-lock.json` doesn't exist issue. – Anselmi 18/11, 2021 at 16:49

If all of the above answers don't work and you still get sh: npm-force-resolutions: command not found try the following:

Just change:

"preinstall": "npx npm-force-resolutions"

To:

"preinstall": "npx force-resolutions"

npx force-resolutions does not run when no package-lock.json is detected, and allows the next command inline to be executed as normal

Credit to: https://github.com/rogeriochaves/npm-force-resolutions/issues/10#issuecomment-885458937

Eipper answered 19/11, 2021 at 12:22 Comment(0)

Recommended topics

Hot tags