Note: A lot of this comes down to "hopefully npm moves to dependency tree realization soon"
Issues to watch:
Starting from a clean slate (no node_modules
directory present), the following seem to be quite reliable:
npm install
will install production dependencies from the shrinkwrap and then add the devDependencies on topnpm install --production
will install just the shrinkwrap'd dependencies
Issue: npm/npm#5161 (don't be confused, it's not about npm dedupe
)
When devDependencies are installed, npm shrinkwrap
will generate invalid shrinkwrap files: If one of the prod dependencies depends on one of the dev dependencies, those modules will be missing.
Workaround:
rm -rf node_modules
npm install --production
npm shrinkwrap
npm install # bring back non-prod dependencies
This is far from a theoretical problem,
especially in a "clean slate state" (no existing shrinkwrap) it's very likely to happen.
Oh, and npm shrinkwrap
will not complain about this.
It will happily write that completely bogus shrinkwrap file.
npm update
will generally create the same result as running npm install
without an existing node_modules
folder.
Unless there's a shrinkwrap file.
npm update
will update shrinkwrapped versions, ignoring the shrinkwrap file.
The only reliable way to update node_modules in the presence of a shrinkwrap file,
e.g. after pulling down changes from git,
is to blow away node_modules
and running npm install
again:
rm -rf node_modules
npm install
Well, obviously for handling package removals you anyhow don't have one clean command
but rather have to use something like npm purge && npm update
even without shrinkwrap files being involved.
Issue: npm/npm#5448
In theory the following would be awesome:
rm -rf node_modules npm-shrinkwrap.json
npm install --production
npm dedupe
npm shrinkwrap
The problem is that dedupe
can push packages up to top level.
And shrinkwrap
will error out when there are packages at top level that are not listed in package.json
.
The solution is to use npm dedupe --save
.
The problem with that?
You end up with dependencies in the projects package.json
that are never actually (directly) required by it.
Or you chose to not check in the changes to package.json
.
Neither option is particularily clean but the latter is the more kind-of maybe correct one:
rm -rf node_modules npm-shrinkwrap.json
npm install --production
cp package.json package.json.tmp
npm dedupe --save
npm shrinkwrap
mv package.json.tmp package.json
npm install # restore dev state
Issues: npm/npm#3398, npm/npm#3581
Currently npm shrinkwrap
produces seemingly random output.
It's hard to run it and not get changes,
even if no versions changes.
One possible solution is to remove everything but the names and the versions,
e.g. both resolved
and from
,
from the resulting file.
The price you pay for doing this is that resolved
can generally protect you against git branch changes and custom --registry
options.