I’m trying to get more control over my project’s dependencies. I’ve already set save-exact=true in the .npmrc file. This has helped a lot for direct dependencies. But I’m still having issues with sub-dependencies in the package-lock.json file. They’re not locked to specific versions.
This means when I run npm install, I can’t be sure I’ll get the same versions every time. I know about npm ci, but it’s not great for everyday use. It wipes out the node_modules folder and takes ages to finish.
Is there a way to make the package-lock.json file more stable? I want NPM to always install the exact same versions of everything. Any tips or tricks would be really helpful. Thanks!
hey mate, have u tried using yarn? its pretty solid for this kinda stuff. it generates a yarn.lock file that locks all deps, even the nested ones. plus, its usually faster than npm. might be worth a shot if ur struggling with npm. just my 2 cents!
As someone who’s managed large-scale Node projects, I can relate to your dependency headaches. One technique that’s served me well is using ‘npm shrinkwrap’ in conjunction with a custom script.
Here’s what I do: After finalizing dependencies, I run ‘npm shrinkwrap’ to lock everything down. Then, I use a script that parses the npm-shrinkwrap.json file and updates package.json with the exact versions of all dependencies, including sub-dependencies.
This approach gives you ironclad version control and makes your package.json a single source of truth. It’s especially useful when onboarding new devs or setting up CI/CD pipelines.
Just be mindful that this level of version locking can make updates trickier. I usually schedule regular ‘dependency update days’ to keep things current without disrupting day-to-day development. It’s a balancing act, but it’s worth it for the stability and reproducibility it brings to your builds.
I’ve dealt with similar issues in my projects. One approach that’s worked well for me is using the ‘npm shrinkwrap’ command. This generates an npm-shrinkwrap.json file, which is like package-lock.json but with more control over sub-dependencies.
To use it, run ‘npm shrinkwrap’ after you’re happy with your dependencies. This locks down all versions, including nested ones. Commit this file to your repo. When others install, they’ll get the exact versions specified.
Another tip: regularly update your dependencies in a controlled manner. Use ‘npm outdated’ to see what needs updating, then update selectively. This gives you more control and helps avoid sudden breaking changes.
Remember, while locking versions provides stability, it’s also important to stay current with security updates. Find a balance that works for your project’s needs.