Understanding NPM shrinkwrap

Asked 7/6, 2018 at 14:32 Answered 2/3, 2023 at 14:35

Recently discovered npm-audit and on the first run it flagged a lot of vulnerabilities, mostly around packages and their dependencies.

Wanting to get these vulnerabilities resolved I have discovered npm shrinkwrap which allows me to specify what versions and its dependencies should use? That's how I see it anyway (Please correct me if wrong, here to learn).

One example I am trying to fix is the module hoek, in my package.json this is set as "hoek": "^5.0.3"

When I run npm shrinkwrap one of the dependencies has hoek set as version 2

"boom": {
  "version": "2.10.1",
  "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
  "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
  "requires": {
    "hoek": "2.x.x"
  },
  "dependencies": {
    "hoek": {
      "version": "2.16.3",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0="
    }
  }
},

I thought I could edit this and specify what version i want the dependency to use like so

  "boom": {
  "version": "2.10.1",
  "resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
  "integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
  "dev": true,
  "requires": {
    "hoek": "2.x.x"
  },
  "dependencies": {
    "hoek": {
      "version": "5.0.3",
      "resolved": "https://registry.npmjs.org/hoek/-/hoek-5.0.3.tgz",
      "integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
      "dev": true
    }
  }
},

However when I run npm shrinkwrap or npm install all this reverts to the original

How do I go about managing this? Is shrinkwrap the right choice or am I trying to do things with it I simply cannot?

Thanks

Gallopade answered 7/6, 2018 at 14:32 Comment(4)

Which version of npm are you using? If it's npm@5 you may want to use package.lock (enabled by default unless shrinkwrap within project) instead of shrinkwrap. – Anjaanjali 7/6, 2018 at 15:1

For further information see: docs.npmjs.com/files/package-locks – Anjaanjali 7/6, 2018 at 15:2

@Anjaanjali thank you. Is it possible then to lock the version of hoek then for a dependency, like the example in the question ? – Gallopade 7/6, 2018 at 15:6

This is a good explanation of npm shrinkwrap https://mcmap.net/q/126483/-what-is-the-difference-between-npm-shrinkwrap-json-and-package-lock-json – Dobsonfly 28/10, 2021 at 9:46

NPM shrinkwrap is used to lock the dependency version in a project.

After installing packages using npm install or npm install package-name and updating your node_modules folder, you should run npm shrinkwrap

It will create new npm-shrinkwrap.json file with information about all packages you use and you have to commit the file.

Next time, when someone calls npm install, it will install packages from npm-shrinkwrap.json and you will have the same environment on all machines.

Loar answered 7/6, 2018 at 14:37 Comment(10)

Thanks for answering Raja, however my problem is that after I have edited the npm-shrinkwrap.json and commited it, running npm install overides it – Gallopade 7/6, 2018 at 14:41

You should not edit npm-shrinkwrap.json, you have to auto generate it by running npm shrinkwrap. – Loar 7/6, 2018 at 14:43

I do have another question.. What is the point shrinkwrap when we have a package.json file ? How do they differ? – Gallopade 7/6, 2018 at 14:53

@Gallopade The accepted answer doesn't seem to answer your question. – Softboiled 11/8, 2021 at 13:9

@Richlewis: Were you able to resolve this issue ?? I am facing same problem. Whenever i change version in npm-shrinkwrap.json file and do npm install. It reverts back to previous version only. Could you please help me ? – Epidemiology 10/11, 2021 at 7:12

@PinkiSharma the package.json is the source of truth. npm-shrinkwrap.json and package-lock.json are generated from that. You should change the version in your package.json, run npm install (which updates the package-lock.json) and then run npm shrinkwrap which will update your npm-shrinkwrap.json – Airglow 8/12, 2022 at 11:4

@RajaSekar I thought the purpose of "when someone calls npm install, it will install packages from npm-shrinkwrap.json and you will have the same environment on all machines." was package-lock.json Whats the difference between "npm-shrinkwrap.json" and "package-lock.json"? – Chord 2/3, 2023 at 17:3

"npm install" when you have a npm-shrinkwrap.json is similar to "npm ci" when you want to install from the package-lock.json. Iff you use the right version of node that was used. – Dissentient 11/9, 2023 at 9:18

@Chord According to docs.npmjs.com/cli/v6/commands/npm-shrinkwrap the shrinkwrap is a tighter variant preferred over any package-lock.json. Though the benefits seems little to me, there might be some benefit in context of continuous development and staged deployments. Additional information is here. – Sciuroid 17/11, 2023 at 13:45

This is getting so complicated. It is like saying that package-lock.json is not doing what we thought was doing so now we need a fix for the fix for the fix for the fix, etc, etc, etc – Mariken 23/7 at 15:51

npm-shrinwrap.json is honored by npm publish - means it will be included into final package.

package.json will be ignored by npm publish and as result your final package will not have any means to "lock" package versions.

Gayomart answered 2/3, 2023 at 14:35 Comment(1)

Answer checks out at docs.npmjs.com: "This command repurposes package-lock.json into a publishable npm-shrinkwrap.json or simply creates a new one. The file created and updated by this command will then take precedence over any other existing or future package-lock.json files." – Nogging 1/8, 2023 at 15:8

Recommended topics

Hot tags