Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm-shrinkwrap.json file is useless and makes troubles with npm 7 (and npm 8) #49

Open
crutch12 opened this issue Jan 17, 2022 · 3 comments
Open

npm-shrinkwrap.json file is useless and makes troubles with npm 7 (and npm 8) #49

crutch12 opened this issue Jan 17, 2022 · 3 comments

Comments

@crutch12
Copy link

crutch12 commented Jan 17, 2022
edited
Loading

  1. shrinkwrap adds 12k code line to my lock file after install with npm 8
  2. npm 8 has a bug and it installs even dev: true deps. So with npm ci you get error Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin"} (current: {"os":"linux","arch":"x64"})

I think we should remove npm-shrinkwrap.json file at all

UPD: I've tried to install branch-name-lint without npm-shrinkwrap.json and it works well. So it looks like that npm-shrinkwrap.json is used only for security issues #9
@crutch12 crutch12 changed the title shrinkwrap file is useless and makes troubles with npm 7 (and npm 8) npm-shrinkwrap.json file is useless and makes troubles with npm 7 (and npm 8) Jan 17, 2022
@crutch12
Copy link
Author

temporarily published own package without npm-shinkwrap.json file: https://www.npmjs.com/package/@web-bee-ru/branch-name-lint

@yoavain-sundaysky
Copy link

I don't think the idea of having an npm-shrinkwrap.json file is wrong.
When you publish a package whose purpose is to run as a tool, you want to make sure that all runtime dependencies (and their dependencies) are those you tested with. You cannot control transitive dependencies without this npm-shrinkwrap.json.
The problem is this file contains both runtime and dev dependencies.

I had to deal with a similar issue in my project, and the solution was this:

  • Commit the package-lock.json file and not the npm-shrinkwrap.json
  • In your pipeline, after you run tests and build the project and before you pack your package, run a script that:
    1. Removes dev dependencies
    2. Deletes package-lock.json file*
    3. Creates npm-shrinkwrap.json file

Something like this:

npm prune --production && del package-lock.json && npm shrinkwrap

* The reason to delete the package-lock.json file is that npm prune --production only deletes files from the node_modules folder and does not update the package-lock.json file, and the npm shrinkwrap only rename the package-lock.json to npm-shrinkwrap.json if it exists. When package-lock.json does not exist, the npm-shrinkwrap.json file is created from the existing dependencies tree (which represent the committed package-lock.json file, without the dev dependencies)

@yoavain
Copy link

yoavain commented Feb 10, 2022

@barzik
I can open a PR with the above change, but let me know if the solution is accepted

@yoavain yoavain mentioned this issue Feb 27, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yoavain @crutch12 @yoavain-sundaysky