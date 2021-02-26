openbase logo
openbase logo
CategoriesLeaderboard
nfr

npm-force-resolutions

by Rogério Chaves
0.0.10 (see all)

Force npm to install a specific transitive dependency version

npm
GitHub
CDN

Overview

DocumentationTutorialsReviewsMaintenanceDependenciesVersionsAlternatives
Showing:

Popularity

Downloads/wk

275K

GitHub Stars

474

Maintenance

Last Commit

1yr ago

Contributors

4

Package

Dependencies

3

License

MIT

Type Definitions

DefinitelyTyped

Tree-Shakeable

No?

Categories

Node.js Dependency Analyzer

Reviews

Average Rating

5.0/51
Read All Reviews
Be the first to give feedback

Readme

NPM Force Resolutions

This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn's selective dependency resolutions, but without having to migrate to yarn.

WARNING before you start

The use case for this is when there is a security vulnerability and you MUST update a nested dependency otherwise your project would be vulnerable. But this should only be used as a last resource, you should first update your top-level dependencies and file an issue for them to update the vulnerable sub-dependencies (npm ls <vulnerable dependency> can help you with that).

How to use

First add a field resolutions with the dependency version you want to fix to your package.json, for example:

"resolutions": {
  "hoek": "4.2.1"
}

Then add npm-force-resolutions to the preinstall script so that it patches the package-lock file before every npm install you run:

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

Now just run npm install as you would normally do:

npm install

To confirm that the right version was installed, use:

npm ls hoek

If your package-lock changes, you may need to run the steps above again.

Contributing

To build the project from source you'll need to install clojure. Then you can run:

npm install
npm run build

Rate & Review

Great Documentation0
Easy to Use0
Performant0
Highly Customizable0
Bleeding Edge0
Responsive Maintainers0
Poor Documentation0
Hard to Use0
Slow0
Buggy0
Abandoned0
Unwelcoming Community0
100
Teodor SanduIasi, Romania24 Ratings0 Reviews
Web & Mobile Developer @adaptabi
September 10, 2020

Alternatives

pac
@tmkn/packageanalyzerA framework to introspect Node.js packages
GitHub Stars
3
Weekly Downloads
3
da
dependencies_analyzerAnalyzing dependences among Node.js modules. Given a Node.js app, the goal of this Analyzer is to automatically detect modules that remain unused or underused.
GitHub Stars
0
Weekly Downloads
8
npm-dependency-analyzerPlugin to analyze dependencies in a npm project
GitHub Stars
6
Weekly Downloads
6
nda
node-dependency-analyzerAnalyze and compare what is actually in your node_modules dir
GitHub Stars
0
Weekly Downloads
2
node-depNodeJS dependency analyzer
GitHub Stars
1
Weekly Downloads
1
See 6 Alternatives

Tutorials

No tutorials found
Add a tutorial