Share your code. npm Orgs help your team discover, share, and reuse code. Create a free org »

    replace-deep-deppublic

    replace-deep-dep

    Change a transitive dependency version without updating the things requiring it.

    USAGE

    $ npx replace-deep-dep example-module 1.0.5 1.1.0
    replace-deep-dep: example-module@1.0.5 found and updated to 1.1.0
    replace-deep-dep: package-lock.json updated
    updated 1 package in 1.265s

    NOTES

    This endevors to ONLY modify your package-lock.json or npm-shrinkwrap.json to give you an opportunity review the changes there before continuing. You'll need to run npm i to see those changes in your node_modules folder.

    REQUIREMENTS

    You must have a package-lock.json or an npm-shrinkwrap.json and it must be created with an up-to-date npm (at least 5.3.0). With versions less that 5.6.0, both your node_modules and your lockfile will be updated. With 5.6.0+, only your lockfile will be updated.

    CAVEATS

    This tool has sharp edges. You can, if you choose, update a deep dependency to a version that's incompatible with the things requiring it.

    WHY

    This specifically allows for the use case where a transitive dependency has gotten a security update but the things requiring it have restrictive semver patterns.

    It also lets you downgrade packages that have had dangerous or broken patch or feature releases.

    WHY NOT

    Installing packages that don't match the semver contract may break things. It's on you to ensure that they don't for your scenario.

    Keywords

    none

    install

    npm i replace-deep-dep

    Downloadslast 7 days

    2

    version

    2.0.1

    license

    ISC

    repository

    github.com

    last publish

    collaborators

    • avatar