Just updated from npm 3 to 5, to use this feature.
Sorry, I must be missing something totally obvious, but how do make npm respect the pinned versions in package-lock.json file when installing?
Let's say I have a package.json with a fair bit of outdated packages. Doing an npm install will pull in new stuff and breaks my app.
For example, the main package I want to stabilize is bootstrap - I want to block its version at bootstrap@4.0.0-alpha.6 for now, but npm install finds 4.0.0-beta.28.
If I npm update any package, package-lock.json gets updated.
Let's go to my development directory.
This is my package.json entry for bootstrap:
"bootstrap": "^4.0.0-alpha.6"
And this is what I see for my installed packages and meta data:
$ npm list 2>/dev/null | grep bootstrap ├─┬ bootstrap@4.0.0-alpha.6 ├─┬ bootstrap-vue@0.16.1 │ ├── bootstrap@4.0.0-alpha.6 deduped (env) jluc@py$ grep bootstrap package.json package-lock.json package.json: "bootstrap": "^4.0.0-alpha.6", package.json: "bootstrap-vue": "^0.16.1", package-lock.json: "bootstrap": { package-lock.json: "version": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz", package-lock.json: "bootstrap-vue": { package-lock.json: "version": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz", package-lock.json: "bootstrap": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz", Looks good. Lock is bootstrap-4.0.0-alpha.6.
But how I use actually use that package-lock.json?
Here's what I did:
- created a brand new directory
- copied in package.json and package-lock.json
- ran
npm install.
No good. npm again found bootstrap beta and package-lock.json had no effect, in fact it was rewritten from what npm install did. Which is consistent with the behavior you want in dev, but doesn't tell me how I would use the lockfile to stabilize my packages.
(env) jluc@trynpmlock$ npm list 2>/dev/null | grep bootstrap ├── bootstrap@4.0.0-beta.2 ├─┬ bootstrap-vue@0.16.1 │ ├── bootstrap@4.0.0-beta.2 deduped (env) jluc@trynpmlock$ grep bootstrap package.json package-lock.json package.json: "bootstrap": "^4.0.0-alpha.6", package.json: "bootstrap-vue": "^0.16.1", package-lock.json: "bootstrap": { package-lock.json: "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-beta.2.tgz", package-lock.json: "bootstrap-vue": { package-lock.json: "resolved": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz", package-lock.json: "bootstrap": "4.0.0-beta.2", If I delete the package.json and only have a directory with package-lock.json, then
npm installinstalls very little and leaves me with a truncated package-lock.jsonnpm install has a
--no-package-lockoption, but that prevents updating the package-lock.json.
Basically how do I tell npm install everything from package.json, but respect locks in package-lock.json? Do I use a different command than npm install? Is it because npm install's doc refers to locks in the context of a package installation, but locks don't apply when you install the package.json in its entirety?
Yes, I know I can specify "bootstrap": "4.0.0-alpha.6", minus the '^', to pin the version manually.
My environment:
(env) jluc@py$ npm -v 5.5.1
2 Answers
Answers 1
If you want to take a determinate version you must transform:
"bootstrap": "^4.0.0-alpha.6" to
"bootstrap": "4.0.0-alpha.6" If you ^ you tell to npm to not update at the last version.
If your pacakge-lock.json interfere with your package.json you can delete it and npm will create a new one. I have encounter something similar when i have made upgrade too.
Answers 2
I was just trying to figure this out myself, and after reading through GitHub issue 17979 on the topic, I think the answer is: Use (or wait for) cipm.
There is also this SO thread: Why does "npm install" rewrite package-lock.json?
According to the cipm documentation, it shouldn't be used yet. I just tried it on a couple of my projects and it seems to be behaving. I'm certain your mileage will vary.
This is a bit maddening to me because I feel like the lock file should force the installation of the versions so that they match, but my opinion was expressed multiple times in the GitHub issue and it seems like they stuck with this.
Alternatively, it looks like you can rollback to an npm between 5.0.0 and 5.1.0, that doesn't appeal to me either.
0 comments:
Post a Comment