This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn's selective dependency resolutions, but without having to migrate to yarn.
The use case for this is when there is a security vulnerability and you MUST update a nested dependency otherwise your project would be vulnerable. But this should only be used as a last resource, you should first update your top-level dependencies and file an issue for them to update the vulnerable sub-dependencies (
npm ls <vulnerable dependency> can help you with that).
First add a field
resolutions with the dependency version you want to fix to your
package.json, for example:
"resolutions": {
"hoek": "4.2.1"
}
Then add npm-force-resolutions to the preinstall script so that it patches the
package-lock file before every
npm install you run:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
Now just run
npm install as you would normally do:
npm install
To confirm that the right version was installed, use:
npm ls hoek
If your package-lock changes, you may need to run the steps above again.
To build the project from source you'll need to install clojure. Then you can run:
npm install
npm run build