How do I override nested NPM dependency versions

Question

I would like to use the grunt-contrib-jasmine NPM package  It has various dependencies  Part of the dependency graph looks like this   -- grunt-contrib-jasmine 0 4 1      -- grunt-lib-phantomjs 0 2 0         -- phantomjs 1 8 2-2   Unfortunately  there s a bug in this version phantomjs which prevents it from installing correctly on Mac OS X  This is fixed in the latest version   How can I get grunt-lib-phantomjs to use a newer version of phantomjs   Some additional context    grunt-contrib-jasmine explicitly requires version   0 2 0  of grunt-lib-phantomjs  which explicitly requires version   1 8 1  of phantomjs  Adding phantomjs to my package s dependencies first has no effect  both versions are installed and grunt-contrib-jasmine still uses the older versions  see  When installing a package with NPM  can you tell it to use a different version of one of its dependencies

User · Answer

NPM shrinkwrap offers a nice solution to this problem. It allows us to override that version of a particular dependency of a particular sub-module.

Essentially, when you run npm install, npm will first look in your root directory to see whether a npm-shrinkwrap.json file exists. If it does, it will use this first to determine package dependencies, and then falling back to the normal process of working through the package.json files.

To create an npm-shrinkwrap.json, all you need to do is

 npm shrinkwrap --dev

code:

{
  "dependencies": {
    "grunt-contrib-connect": {
      "version": "0.3.0",
      "from": "grunt-contrib-connect@0.3.0",
      "dependencies": {
        "connect": {
          "version": "2.8.1",
          "from": "connect@~2.7.3"
        }
      }
    }
  }
}

User · Answer

For those using yarn    I tried using npm shrinkwrap until I discovered the yarn cli ignored my npm-shrinkwrap json file    Yarn has https   yarnpkg com lang en docs selective-version-resolutions  for this  Neat   Check out this answer too  https   stackoverflow com a 41082766 3051080

User · Answer

For those from 2018 and beyond  using npm version 5 or later  edit your package-lock json  remove the library from  requires  section and add it under  dependencies    For example  you want deglob package to use glob package version 3 2 11 instead of its current one  You open package-lock json and see    deglob        version    2 1 0      resolved    https   registry npmjs org deglob - deglob-2 1 0 tgz      integrity    sha1-TUSr4W7zLHebSXK9FBqAMlApoUo       requires          find-root    1 1 0        glob    7 1 2        ignore    3 3 5        pkg-config    1 1 1        run-parallel    1 1 6        uniq    1 0 1           Remove  glob    7 1 2   from  requires   add  dependencies  with proper version    deglob        version    2 1 0      resolved    https   registry npmjs org deglob - deglob-2 1 0 tgz      integrity    sha1-TUSr4W7zLHebSXK9FBqAMlApoUo       requires          find-root    1 1 0        ignore    3 3 5        pkg-config    1 1 1        run-parallel    1 1 6        uniq    1 0 1          dependencies          glob            version    3 2 11                 Now remove your node modules folder  run npm install and it will add missing parts to the  dependencies  section

User · Answer

The only solution that worked for me  node 12 x  npm 6 x  was using npm-force-resolutions developed by  Rogerio Chaves  First  install it by  npm install npm-force-resolutions --save-dev  You can add --ignore-scripts if some broken transitive dependency scripts are blocking you from installing anything  Then in package json define what dependency should be overridden  you must set exact version number    quot resolutions quot        quot your-dependency-name quot    quot 1 23 4 quot     and in  quot scripts quot  section add new preinstall entry   quot preinstall quot    quot npx npm-force-resolutions quot    Now  npm install will apply changes and force your-dependency-name to be at version 1 23 4 for all dependencies

User · Answer

I had an issue where one of the nested dependency had an npm audit vulnerability  but I still wanted to maintain the parent dependency version  the npm shrinkwrap solution didn t work for me  so what I did to override the nested dependency version    Remove the nested dependency under the  requires  section in package-lock json Add the updated dependency under DevDependencies in package json  so that modules that require it will still be able to access it  npm i

User · Answer

You can use npm shrinkwrap functionality  in order to override any dependency or sub-dependency  I ve just done this in a grunt project of ours  We needed a newer version of connect  since 2 7 3  was causing trouble for us  So I created a file named npm-shrinkwrap json       quot dependencies quot          quot grunt-contrib-connect quot            quot version quot    quot 0 3 0 quot          quot from quot    quot grunt-contrib-connect 0 3 0 quot          quot dependencies quot              quot connect quot                quot version quot    quot 2 8 1 quot              quot from quot    quot connect  2 7 3 quot                                 npm should automatically pick it up while doing the install for the project   See  https   nodejs org en blog npm managing-node-js-dependencies-with-shrinkwrap

[node.js] How do I override nested NPM dependency versions?

Examples related to node.js

Examples related to npm