Recently discovered npm-audit and on the first run it flagged a lot of vulnerabilities, mostly around packages and their dependencies.
Wanting to get these vulnerabilities resolved I have discovered npm shrinkwrap which allows me to specify what versions and its dependencies should use? That's how I see it anyway (Please correct me if wrong, here to learn).
One example I am trying to fix is the module hoek, in my package.json this is set as "hoek": "^5.0.3"
When I run npm shrinkwrap one of the dependencies has hoek set as version 2
"boom": {
"version": "2.10.1",
"resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
"integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
"requires": {
"hoek": "2.x.x"
},
"dependencies": {
"hoek": {
"version": "2.16.3",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0="
}
}
},
I thought I could edit this and specify what version i want the dependency to use like so
"boom": {
"version": "2.10.1",
"resolved": "https://registry.npmjs.org/boom/-/boom-2.10.1.tgz",
"integrity": "sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=",
"dev": true,
"requires": {
"hoek": "2.x.x"
},
"dependencies": {
"hoek": {
"version": "5.0.3",
"resolved": "https://registry.npmjs.org/hoek/-/hoek-5.0.3.tgz",
"integrity": "sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=",
"dev": true
}
}
},
However when I run npm shrinkwrap or npm install all this reverts to the original
How do I go about managing this? Is shrinkwrap the right choice or am I trying to do things with it I simply cannot?
Thanks
NPM shrinkwrap is used to lock the dependency version in a project.
After installing packages using npm install or npm install package-name and updating your node_modules folder, you should run npm shrinkwrap
It will create new npm-shrinkwrap.json file with information about all packages you use and you have to commit the file.
Next time, when someone calls npm install, it will install packages from npm-shrinkwrap.json and you will have the same environment on all machines.