npmbox: using shrinkwrap to specify dependent package verisons?

[dtgriscom]

I'm using npmbox to download and archive packages to be later installed for my project. But, I can only specify the versions for the 13 primary dependencies in my package.json; the 176 total sub-dependencies are free to change at will (subject to the sometimes arbitrary version specs of the parent packages).

With npm I can shrinkwrap the versions of all the packages once they've been installed, but then I can't archive them that way. I believe using npmbox is just like un-shrinkwrapped npm, where dependency package versions can change each time I use npmbox. (Yes, once I've wrapped it all in a .npmbox archive the versions won't change, but if I ever want to update a single package I'll have to take whatever sub-dependency versions get downloaded.)

Am I right that there's no current way with npmbox to be precise about a sub-dependency's version? Is there any way I can end up with a .npmbox archive holding an exactly specified set of packages, sub-versions included?

[danfuzz]

Not 100% sure, but I think npmbox will respect shrinkwrap files. Might reasonably be considered a bug if not.

[Note: I'm a contributor to the project, but not the leader of it.]

[dtgriscom]

I just checked, and it doesn't seem to. Test:

1. Started in directory with existing npm-shrinkwrap.json file, specifying abbrev version 1.0.9 (among many other packages)
2. Executed npmbox abbrev
3. npmbox packaged version 1.0.9 of abbrev

It would be good if npmbox did respect versions in an npm-shrinkwrap.json file (or had some other mechanism for doing the equivalent).