Change a transitive dependency version without updating the things requiring it.
$ npx replace-deep-dep example-module 1.0.5 1.1.0replace-deep-dep: firstname.lastname@example.org found and updated to 1.1.0replace-deep-dep: package-lock.json updatedupdated 1 package in 1.265s
This endevors to ONLY modify your
npm-shrinkwrap.json to give you an opportunity review the changes there
before continuing. You'll need to run
npm i to see those changes in your
You must have a
package-lock.json or an
npm-shrinkwrap.json and it must
be created with an up-to-date npm (at least 5.3.0). With versions less that
5.6.0, both your
node_modules and your lockfile will be updated. With
5.6.0+, only your lockfile will be updated.
This tool has sharp edges. You can, if you choose, update a deep dependency to a version that's incompatible with the things requiring it.
This specifically allows for the use case where a transitive dependency has gotten a security update but the things requiring it have restrictive semver patterns.
It also lets you downgrade packages that have had dangerous or broken patch or feature releases.
Installing packages that don't match the semver contract may break things. It's on you to ensure that they don't for your scenario.