Skip to content
Force npm to install a specific transitive dependency version
Clojure
Branch: master
Clone or download
Latest commit a091af2 Oct 21, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src Put version also in requires to fix version for npm 6 Oct 20, 2019
.gitignore Fix build and installation May 6, 2018
.npmignore Ignore unneded files to npm May 6, 2018
README.md
deps.edn
package-lock.json 0.0.3 Oct 20, 2019
package.json 0.0.3 Oct 20, 2019

README.md

NPM Force Resolutions

This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn's selective dependency resolutions, but without having to migrate to yarn.

WARNING before you start

The use case for this is when there is a security vulnerability and you MUST update a nested dependency otherwise your project would be vulnerable. But this should only be used as a last resource, you should first update your top-level dependencies and file an issue for them to update the vulnerable sub-dependencies (npm ls <vulnerable dependency> can help you with that).

How to use

First add a field resolutions with the dependency version you want to fix to your package.json, for example:

"resolutions": {
  "hoek": "4.2.1"
}

Then add npm-force-resolutions to the preinstall script so that it patches the package-lock file before every npm install you run:

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

Now just run npm install as you would normally do:

npm install

To confirm that the right version was installed, use:

npm ls hoek

If your package-lock changes, you may need to run the steps above again.

Contributing

To build the project from source you'll need to install clojure. Then you can run:

npm install
npm run build
You can’t perform that action at this time.