This is the scenario:
I have a package, say package-a that depends on package-b. I have version 2.0.0 of package-a depends on version 1.1.0 of package-b. I specified this dependency using the notation: ^1.1.0. I generated the lock file and then the shrinkwrap. I then publish package-a to the repository.
My understanding is that the above ensures that whenever version 2.0.0 of package-a is installed it will always use version 1.1.0 of package-b even if there are newer version of package-b.
This does not seem to be the case, because when I bumb package-b to 1.2.0, then I deleted package-a and re-installed it, when I check its node_module, I see it installs version 1.2.0 of package-b with it (instead of 1.1.0 that is specified in the shrinkwrap file)
How to I fix this? How do I ensure that my package will always install what is found in the shrinkwrap file?
Or maybe I understand how the nom shrinkwrap file should work? If so an explanation of why what I did, did not work. I would appreciate pointers on how to also make it work as I want
Related
I have two versions of a package e.g.
#mycompany/mylob v2.0.0
and
#mycompany/mylib v3.0.0
version 3.0.0 has breaking changes from version 2.0.0 but we do not have the capacity to upgrade everything to 3.0.0 as of yet.
Another developer has upgraded an internal package e.g. #mycompany/utils to use version 3.0.0 and that is installed into our codebase so now we are getting compatibility errors when running the build as #mycompany/utils requires version 3.0.0 but the rest of the code in that repository wants version 2.0.0.
Is there a way with yarn/npm that I can install #mycompany/mylib v3.0.0 for #mycompany/utils and have the rest of the code refer to v2.0.0?
You can use custom alias installs:
npm i custom-name:#mycompany/mylib#3.0
You can change custom-name to any valid package name you want to use.
After that you can import the package with this alias name. e.g.:
require("custom-name")/ import * from "custom-name"
For npm install specific version, use npm install [package-name]#[version-number].
react-dev-utils#11.0.4 installing a vulnerable version of browserlist, browserslist#4.14.2, although we have updated package on github. https://github.com/facebook/create-react-app/blob/main/packages/react-dev-utils/package.json#L57
[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]
I dont get, what all are the constraint for this. (I dont see any package-lock.json for this package, which could be a potential reason for the vuln). older version has reported vulnerability CVE-2021-23364.
react-dev-utils#11.0.4 installing a vulnerable version of browserlist, browserslist#4.14.2, although we have updated package on github
This is because that package.json file resides in the default branch which usually contains the latest or development code. At the time you posted the question, that change was not published to the npm registry.
react-dev-utils#11.0.4 has browserslist#4.14.2 listed in its package so that's the version that will be installed. Reference: https://cdn.jsdelivr.net/npm/react-dev-utils#11.0.4/package.json
You need atleast react-dev-utils#12.0.0 to fix that vulnerability. See the versions tab.
[to test out, you may simple create any folder and do npm i react-dev-utils and then check it using npm ls browserlist]
Running that command will install the latest version of react-dev-utils, which now has no vulnerability. So it will fix your issue.
I dont see any package-lock.json for this package, which could be a potential reason for the vuln
package-lock.json cannot be published to registry, only the top level lock file is respected. Reference: Should package-lock.json also be published?
this may be an example package, but how in general we update to latest package? have tried npm update as well.
npm update respects the semver range that you've set in your package.json. If its like "react-dev-utils": "11.0.4" that command won't do anything. If its "react-dev-utils": "^11.0.4", it will try to update to the latest 11.x.x version which you are already on, so again it won't do anything. Reference: npm update does not do anything
In general if you want to upgrade every direct dependency to latest version you can use npm-check-updates before running npm update. Refer https://nodejs.dev/learn/update-all-the-nodejs-dependencies-to-their-latest-version for detailed guide. Related: How to update each dependency in package.json to the latest version?
Now, if it is not a direct dependency, as was in your case, you can force resolutions. This is natively supported in Yarn and NPM v8.3.0 and above. In older NPM versions you need to use a dependency like npm-force-resolutions. Related thread: npm equivalent of yarn resolutions?
There are much more related threads that you can easily find by searching on the web.
Say you get a warning in some libraries in a repo about security concerns from github. You want to quickly bump the version just to make the github warnings going away. You are not worried about re-installing, rebuilding and testing.
Is there a way to do this with npm?
npm update mypackage does not do anything.
Now it works different, if you notice package versions in package lock.json have a prefix, sometimes its ~ sometimes ^, they have big importance when it comes to package updating, as fixing package mismatches is the worst hell.
Suppose you have package in package.json called packX with version ~1.1.1 or ^1.1.1
When you run npm update for packX npm will first of all check the version prefix for it.
If there is ~ in this case it will be understood as install packX version >=1.1.1 and <1.2.0 so the highest version it can install can only be in range of 1.1.N, it will not go up to 1.2.N.
If there is ^ then it will be understood as >=1.1.1 <2.0.0 so the highest version that can be installed will be in range of 1.N.N but connot go up to 2.N.N
Hope My explication is clear enough, anyways you can check the docs for details
npm update will only update minor versions.
Eg: It will update version 1.2.3 to 1.5.2
But it will not update version 1.2.3 to 2.0.1 because there can be breaking changes.
To check new major releases of the packages, you run npm outdated
To update to a new major versions for all the packages, you can use npm-check-updates
npm install -g npm-check-updates
Then run ncu -u
This will upgrade all the versions in the package.json file, to dependencies and devDependencies, so npm can install the new major version. Now you can update packages to new major releases by npm update
Reference
when I install a new package in node js project with npm, without specifying a exact version, what is the package version going to install by default?
It would be the "latest" as indicated by the package information.
Source : https://docs.npmjs.com/cli/install
That is usually set as the latest stable release version, usually not the beta version and other unstable releases. But again, it all depends on each package, this is just some configuration information to be set by the maintainer(s) of the package.
I found different versions in package.json file, than versions returned by executing command-npm ls depth=0. I want to create lock file which will show the exact/fixed versions of installed npm packages
NPM as of version 5 automatically creates a package-lock.json file for you, which should do what you need.
If you're concerned about using specific package versions, I also recommend modifying your package.json to remove the semver caret (^, e.g. ^3.0.0 -> 3.0.0) from each package version number. This ensures that the same version is always downloaded until you explicitly upgrade the package.