Show Buttons
Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkdin
Share On Reddit
Share On Stumbleupon
Contact us
Hide Buttons

What is npm shrinkwrap and when is it needed

The npm shrinkwrap com­mand lets you lock down the ver­sion num­bers all the pack­ages and their descen­dant pack­ages in your node_modules direc­tory. Lets exam­ine why and when you should be using this com­mand in your appli­ca­tion development.

The npm pack­age man­ager does a pretty good job at main­tain­ing and installing depen­den­cies for all the pack­ages your project requires. It does so by installing a hier­ar­chy of pack­ages in the node_modules directory.

There are 2 main prob­lems with the way npm install works

  1. Although npm rec­om­mends using semver for appli­ca­tion ver­sion­ing, it is com­pletely upto the pack­age author to honor this rule. This can be prob­lem­atic if the pack­age you depend on does not fol­low semver and a newer ver­sion of the pack­age has break­ing changes.
    Even if the pack­age author fol­lows semver, there is still a prob­a­bil­ity that a bug might get intro­duced in a com­pat­i­ble version.
  2. The other issue arises due to the way npm install works. Since run­ning an npm install install a hier­ar­chy of pack­ages to be installed, if you wished to man­u­ally con­trol the ver­sion num­bers of the pack­ages that you want to be installed, you could do that by using the exact ver­sion num­bers in your package.json. How­ever that only solves the prob­lem for the direct depen­dents of your pack­age. It does not give you con­trol over the installed ver­sions of the deeply nested pack­ages that are the depen­den­cies of your depen­den­cies and beyond.

This can be cru­cial to you in a pro­duc­tion envi­ron­ment because you need to ensure that each pro­duc­tion re-deployment always always installs the same ver­sions of the pack­age as the other deployments.

This is where npm shrinkwrap comes into play. When you run npm shrinkwrap in a project after run­ning npm install, it cre­ates a file called npm-shrinkwrap.json which lists the exact pack­age ver­sions of all the installed pack­ages in the entire hier­ar­chy. If you check this into your ver­sion con­trol and your col­legue clones and does an npm install, then this time they will get the exact pack­age ver­sion for the full hier­ar­chy as spec­i­fied in the npm-shrinkwrap.json file.

In order to update your npm-shrinkwrap.json file, you would need to run npm update <package_name>, thereby spec­i­fy­ing the exact pack­age that needs to be updated and then re-run npm shrinkwrap to updated your npm-shrinkwrap.json file.

If you need to find out which pack­ages have become out­dated, sim­ply run

npm outdated

The above com­mand will sim­ply read the repos­i­tory and inform you of any out­dated pack­ages. You can then exam­ine them and decide whether or not you want to include them in pro­duc­tion after thor­oughly test­ing them.

Also note that by default npm shrinkwrap does not include your devDe­pen­den­cies unless you pass run it with the –dev flag.

npm shrinkwrap --dev

Ryan Sukale

Ryan is just a regular guy next door trying to manage his life and finances.

You may also like...