I have a package.json file that lists all the dependencies I have with *'s, but I want the latest packages. I tried:
npm install --save
But that didn't replace the *'s in the file. I tried with empty strings as well, that didn't work.
Older versions of npm will update package.json when you run npm update --save, but this appears to be broken in recent versions.
Alternatively, npm-check-updates can update your package.json.
npm understands some special keywords in its package.json one of them being latest
so you can edit your file manually with something like this :
'dependencies': {
'jquery': 'latest'
}
this would always give you the latest available version of jquery no matter what.
I'd suggest you replace everything with * and run npm update --save.
This will write down the versions of the dependencies.
So
"dependencies": {
"mongo": "*"
}
will become something like
"dependencies": {
"mongo": "3.0.0"
}
EDIT: one user made a good point, * can get you in some incompatibility problems so you might want to downgrade or need to fix stuff after.
Related
I'm new to NPM, sorry if my questions sounds stupid. Below is my question:
Q1-
When I install a package and specify a specified version, for example:
npm install xxx#3.5.1
but why in the package.json file, it becomes:
{
"devDependencies": {
"xxx": "^3.5.1"
}
}
I know that the extra caret (the ^ character) will accept versions like 3.5.2, 3.6.0 but not 4.0.0. But I did explicitly specify that I want version 3.5.1, so why NPM still add ^ in front of the version?
Q2-
If NPM install package with version which I what users specify, then we don't need the package-lock.json file, do we? Since all versions in the package.json file are unique and unambiguous?
1.
You can add --save-exact
npm install lodash --save --save-exact - installs the latest version and saves the exact version in the dependencies in the package.json.
2.
^ and ~ is the way npm offer to you to get the latest source of dependencies. It's risky sometimes though.
Read this for more detailed explanation. https://bytearcher.com/articles/semver-explained-why-theres-a-caret-in-my-package-json/
I am using express v4.16.4 in my node server.
It has pulled in cookie-signature v1.0.6.
I want to upgrade cookie-signature to v1.1.0 as it has a fix which I require.
What is the way to do that ?
I don't think i should do a npm install cookie-signature#1.1.0 as it would list cookie-signature in my app dependencies.
EDIT: this discusses the exact same problem that i am looking to solve. The accepted answer is using npm-shrinkwrap, and another top voted answer using package-lock.json , but both of these seem to have issues as discussed in respective comments.
Happy to close this as a duplicate.
You might also be able to solve the issue by adding a resolutions key in the package.json to "enforce" certain versions of dependencies:
{
"resolutions": {
"cookie-signature": "^1.1.0"
}
}
To actually make use of that, you have to use npm-force-resolutions in preinstall:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
See this post for further information: https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d
NPM 8 introduced "overrides" which allows you to override specific transitive dependencies of your direct dependency. For your usecase, you would declare something like below in your package.json.
{
"overrides": {
"express": {
"cookie-signature": "1.1.0"
}
}
}
More details # https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
We had a very similar problem. Protractor 5.4.2 has a dependency on webdriver-manager#^12.0.6. In package-lock.json webdriver-manager was fixed to 12.1.5. However, we needed 12.1.7 in order to make it work with all the latest chrome versions.
We noticed, that npm would install version 12.1.7 when removing node_modules and package-lock.json, but we did not find a way to automatically update package-lock.json. So these are the steps we took:
Remove node_modules
Remove package-lock.json
Run npm install
Open package-lock.json and copy the webdriver-manager section to another file
Undo (git checkout) all changes in package-lock.json
Copy the saved webdriver-manager part back into package-lock.json
Remove node_modules
Run npm install
Check node_modules/protractor/node_modules/webdriver-manager/package.json that the right version was installed.
I think this workaround should work for express and cookies-signature as well.
I saw this somewhere, inside package.json:
"dependencies": {
...,
"npm": "^6.1.0",
...
}
Is there any point in this?
Will npm update itself as a result of this?
If yes, will it be able to do so if its current version is lower than 6?
This is not the normal practice for packages. This will not affect your global installation of npm.
If you wish to specify which version of npm your package requires to be installed, the engines field in the package.json is the proper place to put it. From the npm docs:
You can also use the “engines” field to specify which versions of npm are capable of properly installing your program. For example:
{ "engines" : { "npm" : "~1.0.20" } }
Unless the user has set the engine-strict config flag, this field is advisory only and will only produce warnings when your package is installed as a dependency.
npm will not prevent installation of packages with a different version of npm listed in engines, but it will warn in the console that it's requesting a different version of npm than what you're using.
The only purpose of installing npm as a dependency would be if it's a package that somehow needs to use npm's API directly (like a node_modules/ analyzer, or something like that).
I need to know if the following behavior is normal.
When I npm install, each package from my package.json and the dependencies, don't get installed nested anymore, but each dependency is installed in the node_modules directory. That makes my node_modules directory blown and look like this:
This happened since I updated npm and node.
Now I run:
npm -v 3.3.6
node -v 4.2.1
python 2.7
windows 7
wamp
My package.json file looks like this:
{
"private": true,
"devDependencies": {
"gulp": "^3.8.8"
},
"dependencies": {
"laravel-elixir": "^3.0.0",
"bootstrap-sass": "^3.0.0"
}
}
It's the standard laravel package.json file.
Is there a way to have nested directories again, because I don't like such a blown article with over 100 sub directories.
Update: As Erik Pukinskis mentioned in the comments:
As of npm 3.5, support for --legacy-bundling has been dropped.
Yes, there is a way to have nested directories again by changing npm's (version 3 as of this writing) default behaviour:
Delete the currently present node_modules folder.
Tell npm to install with legacy bundling for this one install:
npm install --legacy-bundling
A "permanent" alternative:
Set your npm config to always use legacy bundling...
npm set legacy-bundling=true
.. and run as usual:
npm install
Note: fetching dependencies with legacy bundling will take a lot more time because many several different versions of the same dependencies will be installed.
Disclaimer: As a non-Windows user I have no need for flat dependencies and want to find self-declared dependencies with ease in favour of automatic deduping. Since installing npm dependencies without legacy bundling already takes an incredible amount of time I'm usually willing to spend those extra minutes install time. It gets back down to 5 directories from previously 700+ (...) in a Laravel Elixir setup with bootstrap (non-sass), font-awesome and jquery added.
That's the new behavior of npm 3 as per this npm blog.
I seem to understand how to clone a repository, but I'm not sure I'm fully grasping how to keep that repository current with what's on Github. I'm using Basscss for example, and I believe my local project is slightly out of date with what's on Github.
I'm trying to update Basscss to the latest version using npm updatebut even after running that command my package.json file remains the same with the version stuck at "4.2.1".
"name": "basscss",
"version": "4.2.1",
...
Am I doing something wrong here? Any help with this is appreciated. Thanks in advance!
npm update will update the module's files listed in your project. if you want to update your package.json file with the newer version. use the save option.
npm update --save
edit
npm install basscss#latest --save
I would try to re-install latest and save to package file. BTW, your package.json should reference the dep's like this:
"name" : "YOUR_PROJECT",
"version" : "0.0.1",
"dependencies": {
"basscss": "^4.2.4",
}