[QUESTION] What's the correct way of using npm-shrinkwrap for dependencies? #1005
Comments
|
Distributing a shrinkwrap file is hostile to deduping; and as you’ve discovered, if you do it, you need to make sure you’re not shrinkwrapping dev deps. Lockfiles are best at the top level - in apps, not packages. |
|
Yeah, but there's a glitch in the system right? If you shrink-wrap for production you need to regenerate the locked down dependencies when you run in your CI? |
|
I’m not sure i understand your question. Typically you shrinkwrap both prod and dev deps, and in your build system, run |
|
I think I'm seeing the same issue. Lets say we have I think npm wrongly ignores |
|
I've created a new issue to explain this better - |
darcyclarke
added
Release 6.x
What / Why
I'm not sure if this is a feature or a bug: I've been using npm-shrinkwrap files in a couple of projects to pin down versions. That works fine on the highest level. I use
npm shrinkwrapto generate the file (keeping both dependencies and dev-dependencies in the same file). I test the module on CI. It works. When I install my application I usenpm install --production. That also work fine, only dependencies gets installed.However, if my dependencies also use a shrink-wrap file and I run
npm install --productionon the top level, my dependencies dev-dependencies gets installed. Is that how it should work?In my case having dependencies that use dependencies that use dependencies that use shrink-wrap files, has made me production install many extra mb of prettier and other test dependencies.
I tested with npm version 6.14.2
The text was updated successfully, but these errors were encountered: