Now that package versions in npm are more stable (http://blog.npmjs.org/post/77758351673/no-more-npm-publish-f) I'd like to propose switching from lockdown to the built-in shrinkwrap.
I think using shrinkwrap simplifies this task very slightly and I feel ok with the disadvantages.
switch from lockdown to shrinkwrap
I know we discussed this at some point. What was the drawback of using shrinkwrap under the new npm publish rules? It still wouldn't manage the sub-dependency version bumps which could cause issues?
I would love also to hear from OPs on this one.
Yeah. I don't really like losing that checksums, but I can live without. It does track all sub-dependent versions, and there is some guarantee of immutability in the "main" npm repo. I do think we should do npm shrinkwrap --dev.
npm shrinkwrap --dev
+1 (due to there being one less moving part) :)
switch from lockdown to shrinkwrap. closes #603
@jbonacci I'm fine with this though OpSec may have concerns over losing the checksum functionality, I'd recommend looping them in.
@gene1wood ok, well I don't really know how to do that via GitHub.
@dannycoates and @jrgm let's have a rep from OpSec look at this.
Seems to me like a very small gain for dumping checksums. If they'll be implemented in the future for shrinkwrap, why not just wait till then to switch?