How do I override nested NPM dependency versions?

前端 未结 6 1148
[愿得一人]
[愿得一人] 2020-11-22 13:51

I would like to use the grunt-contrib-jasmine NPM package. It has various dependencies. Part of the dependency graph looks like this:

─┬ grunt-c         


        
相关标签:
6条回答
  • 2020-11-22 14:23

    The only solution that worked for me (node 12.x, npm 6.x) was using npm-force-resolutions developed by @Rogerio Chaves.

    First, install it by:

    npm install npm-force-resolutions --save-dev
    

    You can add --ignore-scripts if some broken transitive dependency scripts are blocking you from installing anything.

    Then in package.json define what dependency should be overridden (you must set exact version number):

    "resolutions": {
      "your-dependency-name": "1.23.4"
    }
    

    and in "scripts" section add new preinstall entry:

    "preinstall": "npx npm-force-resolutions",
    

    Now, npm install will apply changes and force your-dependency-name to be at version 1.23.4 for all dependencies.

    0 讨论(0)
  • 2020-11-22 14:24

    You can use npm shrinkwrap functionality, in order to override any dependency or sub-dependency.

    I've just done this in a grunt project of ours. We needed a newer version of connect, since 2.7.3. was causing trouble for us. So I created a file named npm-shrinkwrap.json:

    {
      "dependencies": {
        "grunt-contrib-connect": {
          "version": "0.3.0",
          "from": "grunt-contrib-connect@0.3.0",
          "dependencies": {
            "connect": {
              "version": "2.8.1",
              "from": "connect@~2.7.3"
            }
          }
        }
      }
    }
    

    npm should automatically pick it up while doing the install for the project.

    (See: https://nodejs.org/en/blog/npm/managing-node-js-dependencies-with-shrinkwrap/)

    0 讨论(0)
  • 2020-11-22 14:31

    For those from 2018 and beyond, using npm version 5 or later: edit your package-lock.json: remove the library from "requires" section and add it under "dependencies".

    For example, you want deglob package to use glob package version 3.2.11 instead of its current one. You open package-lock.json and see:

    "deglob": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/deglob/-/deglob-2.1.0.tgz",
      "integrity": "sha1-TUSr4W7zLHebSXK9FBqAMlApoUo=",
      "requires": {
        "find-root": "1.1.0",
        "glob": "7.1.2",
        "ignore": "3.3.5",
        "pkg-config": "1.1.1",
        "run-parallel": "1.1.6",
        "uniq": "1.0.1"
      }
    },
    

    Remove "glob": "7.1.2", from "requires", add "dependencies" with proper version:

    "deglob": {
      "version": "2.1.0",
      "resolved": "https://registry.npmjs.org/deglob/-/deglob-2.1.0.tgz",
      "integrity": "sha1-TUSr4W7zLHebSXK9FBqAMlApoUo=",
      "requires": {
        "find-root": "1.1.0",
        "ignore": "3.3.5",
        "pkg-config": "1.1.1",
        "run-parallel": "1.1.6",
        "uniq": "1.0.1"
      },
      "dependencies": {
        "glob": {
          "version": "3.2.11"
        }
      }
    },
    

    Now remove your node_modules folder, run npm install and it will add missing parts to the "dependencies" section.

    0 讨论(0)
  • 2020-11-22 14:32

    NPM shrinkwrap offers a nice solution to this problem. It allows us to override that version of a particular dependency of a particular sub-module.

    Essentially, when you run npm install, npm will first look in your root directory to see whether a npm-shrinkwrap.json file exists. If it does, it will use this first to determine package dependencies, and then falling back to the normal process of working through the package.json files.

    To create an npm-shrinkwrap.json, all you need to do is

     npm shrinkwrap --dev
    

    code:

    {
      "dependencies": {
        "grunt-contrib-connect": {
          "version": "0.3.0",
          "from": "grunt-contrib-connect@0.3.0",
          "dependencies": {
            "connect": {
              "version": "2.8.1",
              "from": "connect@~2.7.3"
            }
          }
        }
      }
    }
    
    0 讨论(0)
  • 2020-11-22 14:35

    I had an issue where one of the nested dependency had an npm audit vulnerability, but I still wanted to maintain the parent dependency version. the npm shrinkwrap solution didn't work for me, so what I did to override the nested dependency version:

    1. Remove the nested dependency under the 'requires' section in package-lock.json
    2. Add the updated dependency under DevDependencies in package.json, so that modules that require it will still be able to access it.
    3. npm i
    0 讨论(0)
  • 2020-11-22 14:46

    For those using yarn.

    I tried using npm shrinkwrap until I discovered the yarn cli ignored my npm-shrinkwrap.json file.

    Yarn has https://yarnpkg.com/lang/en/docs/selective-version-resolutions/ for this. Neat.

    Check out this answer too: https://stackoverflow.com/a/41082766/3051080

    0 讨论(0)
提交回复
热议问题