/npm-force-resolutions

Force npm to install a specific transitive dependency version

Primary LanguageClojure

NPM Force Resolutions

This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn's selective dependency resolutions, but without having to migrate to yarn.

WARNING before you start

The use case for this is when there is a security vulnerability and you MUST update a nested dependency otherwise your project would be vulnerable. But this should only be used as a last resource, you should first update your top-level dependencies and file an issue for them to update the vulnerable sub-dependencies (npm ls <vulnerable dependency> can help you with that).

How to use

First add a field resolutions with the dependency version you want to fix to your package.json, for example:

"resolutions": {
  "hoek": "4.2.1"
}

Then add npm-force-resolutions to the preinstall script so that it patches the package-lock file before every npm install you run:

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

Now just run npm install as you would normally do:

npm install

To confirm that the right version was installed, use:

npm ls hoek

If your package-lock changes, you may need to run the steps above again.

Contributing

To build the project from source you'll need to install clojure. Then you can run:

npm install
npm run build