Nail Polishing Minions

    npm-force-resolutions

    0.0.10 • Public • Published

    NPM Force Resolutions

    This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn's selective dependency resolutions, but without having to migrate to yarn.

    WARNING before you start

    The use case for this is when there is a security vulnerability and you MUST update a nested dependency otherwise your project would be vulnerable. But this should only be used as a last resource, you should first update your top-level dependencies and file an issue for them to update the vulnerable sub-dependencies (npm ls <vulnerable dependency> can help you with that).

    How to use

    First add a field resolutions with the dependency version you want to fix to your package.json, for example:

    "resolutions": {
      "hoek": "4.2.1"
    }

    Then add npm-force-resolutions to the preinstall script so that it patches the package-lock file before every npm install you run:

    "scripts": {
      "preinstall": "npx npm-force-resolutions"
    }

    Now just run npm install as you would normally do:

    npm install
    

    To confirm that the right version was installed, use:

    npm ls hoek
    

    If your package-lock changes, you may need to run the steps above again.

    Contributing

    To build the project from source you'll need to install clojure. Then you can run:

    npm install
    npm run build
    

    Keywords

    none

    Install

    npm i npm-force-resolutions

    DownloadsWeekly Downloads

    294,042

    Version

    0.0.10

    License

    MIT

    Unpacked Size

    15.3 MB

    Total Files

    443

    Last publish

    Collaborators

    • rchaves