-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Don't check sub-dependencies #6
Comments
The main point of shrinkwrap is to freeze sub-dependencies versions also. Bumping one package can also bump a sub-dependency that is shared by a third one, with the risk of breaking things. Actually this situation is what motivated us to start using npm-shrinwkrap.json and subsequently create Are you sure you only want top level dependencies to be shrinkwrapped? |
I think there's a misunderstanding. I want everything to be shrinkwrapped, I just don't want to list all my dependencies-of-dependencies in my i.e. it's returning a non-0 exit status code even after a fresh shrinkwrap. |
Hmm, that might be because you are using npm3. If so update |
Not working with $ npm-shrinkwrap-check -3
package.json and npm-shrinkwrap.json out of sync
* fsevents found in package.json but not in npm-shrinkwrap.json
* esprima-fb found in package.json but not in npm-shrinkwrap.json
* tap-stream found in package.json but not in npm-shrinkwrap.json
* event-stream found in package.json but not in npm-shrinkwrap.json
* node-static found in package.json but not in npm-shrinkwrap.json
* hapi found in package.json but not in npm-shrinkwrap.json
... |
Could you share your package.json dependencies? I'll try to reproduce locally |
@Morantron Sure.
Presently using npm 3.8.9 FYI. Oh.. you know what it might be? Are you only checking I just moved all my devDevs into dependencies and that reduced the false positives by quite a bit, but there's still a few that are wrong... |
Thanks! I've spotted some issues in the script that yield false positives. I've sorted them out, but I still have one pending issue: I need to figure out what to do exactly with them ( specially when they are subdependency optional dependencies ), since they are included in |
Should be fixed with |
Awesome, thank you! Seems to pass now with |
Can we get an option to suppress all those warnings? They're just going to happen every time, forever. |
Will reduce verbosity in this issue #11 |
I've got hundreds of sub-dependencies. I don't want to add them all to my package.json. I only care that the packages I've explicitly listed in package.json are shrinkwrapped. Can you add an option to filter those out?
The text was updated successfully, but these errors were encountered: