Skip to content

Instantly share code, notes, and snippets.

@jkrems

jkrems/shrinkwrap.md

Last active August 29, 2015 14:05
Show Gist options
  • Save jkrems/5bd43b9396e23a986fc4 to your computer and use it in GitHub Desktop.
Save jkrems/5bd43b9396e23a986fc4 to your computer and use it in GitHub Desktop.
Download ZIP
State of `npm shrinkwrap`
Raw
shrinkwrap.md

Context: npm v1.4.13

Note: A lot of this comes down to "hopefully npm moves to dependency tree realization soon"

Issues to watch:

What works

Starting from a clean slate (no node_modules directory present), the following seem to be quite reliable:

  • npm install will install production dependencies from the shrinkwrap and then add the devDependencies on top
  • npm install --production will install just the shrinkwrap'd dependencies

Issues

Missing modules

Issue: npm/npm#5161 (don't be confused, it's not about npm dedupe)

When devDependencies are installed, npm shrinkwrap will generate invalid shrinkwrap files: If one of the prod dependencies depends on one of the dev dependencies, those modules will be missing.

Workaround:

rm -rf node_modules
npm install --production
npm shrinkwrap
npm install # bring back non-prod dependencies

This is far from a theoretical problem, especially in a "clean slate state" (no existing shrinkwrap) it's very likely to happen. Oh, and npm shrinkwrap will not complain about this. It will happily write that completely bogus shrinkwrap file.

npm update ignores shrinkwrap

npm update will generally create the same result as running npm install without an existing node_modules folder. Unless there's a shrinkwrap file. npm update will update shrinkwrapped versions, ignoring the shrinkwrap file.

The only reliable way to update node_modules in the presence of a shrinkwrap file, e.g. after pulling down changes from git, is to blow away node_modules and running npm install again:

rm -rf node_modules
npm install

Well, obviously for handling package removals you anyhow don't have one clean command but rather have to use something like npm purge && npm update even without shrinkwrap files being involved.

npm dedupe requires manual intervention

Issue: npm/npm#5448

In theory the following would be awesome:

rm -rf node_modules npm-shrinkwrap.json
npm install --production
npm dedupe
npm shrinkwrap

The problem is that dedupe can push packages up to top level. And shrinkwrap will error out when there are packages at top level that are not listed in package.json. The solution is to use npm dedupe --save. The problem with that? You end up with dependencies in the projects package.json that are never actually (directly) required by it. Or you chose to not check in the changes to package.json. Neither option is particularily clean but the latter is the more kind-of maybe correct one:

rm -rf node_modules npm-shrinkwrap.json
npm install --production
cp package.json package.json.tmp
npm dedupe --save
npm shrinkwrap
mv package.json.tmp package.json
npm install # restore dev state

Noisy diffs

Issues: npm/npm#3398, npm/npm#3581

Currently npm shrinkwrap produces seemingly random output. It's hard to run it and not get changes, even if no versions changes.

One possible solution is to remove everything but the names and the versions, e.g. both resolved and from, from the resulting file. The price you pay for doing this is that resolved can generally protect you against git branch changes and custom --registry options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment