search

okTurtles / group-income

A decentralized and private (end-to-end encrypted) financial safety net for you and your friends.
https://groupincome.org
GNU Affero General Public License v3.0
330 stars 43 forks source link

Prevent package-lock.json from breaking when deps-of-deps update #340

Open taoeffect opened 6 years ago

taoeffect commented 6 years ago

Problem

I just noticed that package-lock.json will get updated if any dependency of any dependency is not fully specified and gets updated.

For example, on a clean npm install, I noticed this diff in package-lock.json:

@@ -5029,7 +4129,7 @@
       "version": "github:taoeffect/grunt-browserify#cd7a1e08801531dc2f09b83baf7650e37913a0a5",
       "dev": true,
       "requires": {
-        "async": "2.5.0",
+        "async": "2.6.0",
         "browserify": "14.4.0",
         "browserify-incremental": "3.1.1",
         "glob": "7.1.2",

I checked package.json in that commit, and noticed that all the dependencies are specified using the caret, including "async":

"async": "^2.5.0"

So, since async got updated to 2.6, our package-lock.json got broken as well.

Solution

I'm not entirely sure what the best solution here is.

I wish there was a way to force npm to treat all dependency version numbers in all package.json files (and their dependencies) as fixed, specific versions. Then we wouldn't have this problem and we wouldn't have to change anything.

Maybe that's possible with the latest npm? I haven't checked.

The hard way is to manually clone and fix all dependencies we need. 😒

sandrina-p commented 6 years ago

npm shrinkwrap might be what your are looking for