switch from lockdown to shrinkwrap #603

wants to merge 1 commit into


None yet

7 participants


Now that package versions in npm are more stable (http://blog.npmjs.org/post/77758351673/no-more-npm-publish-f) I'd like to propose switching from lockdown to the built-in shrinkwrap.


  • built-in, well doc'd, maintained
  • faster install runs


  • less paranoid
  • checks version numbers not hash of contents

I think using shrinkwrap simplifies this task very slightly and I feel ok with the disadvantages.

pdehaan commented Mar 1, 2014

/ping @jrgm

I know we discussed this at some point. What was the drawback of using shrinkwrap under the new npm publish rules? It still wouldn't manage the sub-dependency version bumps which could cause issues?

jbonacci commented Mar 3, 2014

I would love also to hear from OPs on this one.

jrgm commented Mar 4, 2014

Yeah. I don't really like losing that checksums, but I can live without. It does track all sub-dependent versions, and there is some guarantee of immutability in the "main" npm repo. I do think we should do npm shrinkwrap --dev.

@pdehaan pdehaan added this to the Mar 14 milestone Mar 4, 2014
chilts commented Mar 4, 2014

+1 (due to there being one less moving part) :)

@shane-tomlinson shane-tomlinson referenced this pull request in mozilla/fxa-content-server Mar 5, 2014

switch from lockdown to shrinkwrap? #669


@jbonacci I'm fine with this though OpSec may have concerns over losing the checksum functionality, I'd recommend looping them in.


@gene1wood ok, well I don't really know how to do that via GitHub.
@dannycoates and @jrgm let's have a rep from OpSec look at this.


Seems to me like a very small gain for dumping checksums. If they'll be implemented in the future for shrinkwrap, why not just wait till then to switch?

@pdehaan pdehaan referenced this pull request in mozilla-services/FindMyDevice Mar 13, 2014

Add npm-shrinkwrap #15

@dannycoates dannycoates deleted the dannycoates:shrinkwrap branch Apr 30, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment