3 <title>npm-shrinkwrap</title>
5 <link rel="stylesheet" type="text/css" href="../../static/style.css">
6 <link rel="canonical" href="https://www.npmjs.org/doc/cli/npm-shrinkwrap.html">
7 <script async=true src="../../static/toc.js"></script>
12 <h1><a href="../cli/npm-shrinkwrap.html">npm-shrinkwrap</a></h1> <p>Lock down dependency versions</p>
13 <h2 id="synopsis">SYNOPSIS</h2>
14 <pre><code>npm shrinkwrap
15 </code></pre><h2 id="description">DESCRIPTION</h2>
16 <p>This command locks down the versions of a package's dependencies so
17 that you can control exactly which versions of each dependency will be
18 used when your package is installed. The <code>package.json</code> file is still
19 required if you want to use <code>npm install</code>.</p>
20 <p>By default, <code>npm install</code> recursively installs the target's
21 dependencies (as specified in <code>package.json</code>), choosing the latest
22 available version that satisfies the dependency's semver pattern. In
23 some situations, particularly when shipping software where each change
24 is tightly managed, it's desirable to fully specify each version of
25 each dependency recursively so that subsequent builds and deploys do
26 not inadvertently pick up newer versions of a dependency that satisfy
27 the semver pattern. Specifying specific semver patterns in each
28 dependency's <code>package.json</code> would facilitate this, but that's not always
29 possible or desirable, as when another author owns the npm package.
30 It's also possible to check dependencies directly into source control,
31 but that may be undesirable for other reasons.</p>
32 <p>As an example, consider package A:</p>
34 "name": "A",
35 "version": "0.1.0",
36 "dependencies": {
37 "B": "<0.1.0"
40 </code></pre><p>package B:</p>
42 "name": "B",
43 "version": "0.0.1",
44 "dependencies": {
45 "C": "<0.1.0"
48 </code></pre><p>and package C:</p>
50 "name": "C",
51 "version": "0.0.1"
53 </code></pre><p>If these are the only versions of A, B, and C available in the
54 registry, then a normal <code>npm install A</code> will install:</p>
58 </code></pre><p>However, if B@0.0.2 is published, then a fresh <code>npm install A</code> will
63 </code></pre><p>assuming the new version did not modify B's dependencies. Of course,
64 the new version of B could include a new version of C and any number
65 of new dependencies. If such changes are undesirable, the author of A
66 could specify a dependency on B@0.0.1. However, if A's author and B's
67 author are not the same person, there's no way for A's author to say
68 that he or she does not want to pull in newly published versions of C
69 when B hasn't changed at all.</p>
70 <p>In this case, A's author can run</p>
71 <pre><code>npm shrinkwrap
72 </code></pre><p>This generates <code>npm-shrinkwrap.json</code>, which will look something like this:</p>
74 "name": "A",
75 "version": "0.1.0",
76 "dependencies": {
78 "version": "0.0.1",
79 "from": "B@^0.0.1",
80 "resolved": "https://registry.npmjs.org/B/-/B-0.0.1.tgz",
81 "dependencies": {
83 "version": "0.0.1",
84 "from": "org/C#v0.0.1",
85 "resolved": "git://github.com/org/C.git#5c380ae319fc4efe9e7f2d9c78b0faa588fd99b4"
91 </code></pre><p>The shrinkwrap command has locked down the dependencies based on
92 what's currently installed in node_modules. When <code>npm install</code>
93 installs a package with an <code>npm-shrinkwrap.json</code> in the package
94 root, the shrinkwrap file (rather than <code>package.json</code> files) completely
95 drives the installation of that package and all of its dependencies
96 (recursively). So now the author publishes A@0.1.0, and subsequent
97 installs of this package will use B@0.0.1 and C@0.0.1, regardless the
98 dependencies and versions listed in A's, B's, and C's <code>package.json</code>
100 <h3 id="using-shrinkwrapped-packages">Using shrinkwrapped packages</h3>
101 <p>Using a shrinkwrapped package is no different than using any other
102 package: you can <code>npm install</code> it by hand, or add a dependency to your
103 <code>package.json</code> file and <code>npm install</code> it.</p>
104 <h3 id="building-shrinkwrapped-packages">Building shrinkwrapped packages</h3>
105 <p>To shrinkwrap an existing package:</p>
107 <li>Run <code>npm install</code> in the package root to install the current
108 versions of all dependencies.</li>
109 <li>Validate that the package works as expected with these versions.</li>
110 <li>Run <code>npm shrinkwrap</code>, add <code>npm-shrinkwrap.json</code> to git, and publish
113 <p>To add or update a dependency in a shrinkwrapped package:</p>
115 <li>Run <code>npm install</code> in the package root to install the current
116 versions of all dependencies.</li>
117 <li>Add or update dependencies. <code>npm install</code> each new or updated
118 package individually and then update <code>package.json</code>. Note that they
119 must be explicitly named in order to be installed: running <code>npm
120 install</code> with no arguments will merely reproduce the existing
122 <li>Validate that the package works as expected with the new
124 <li>Run <code>npm shrinkwrap</code>, commit the new <code>npm-shrinkwrap.json</code>, and
125 publish your package.</li>
127 <p>You can use <a href="../cli/npm-outdated.html">npm-outdated(1)</a> to view dependencies with newer versions
129 <h3 id="other-notes">Other Notes</h3>
130 <p>A shrinkwrap file must be consistent with the package's <code>package.json</code>
131 file. <code>npm shrinkwrap</code> will fail if required dependencies are not
132 already installed, since that would result in a shrinkwrap that
133 wouldn't actually work. Similarly, the command will fail if there are
134 extraneous packages (not referenced by <code>package.json</code>), since that would
135 indicate that <code>package.json</code> is not correct.</p>
136 <p>Since <code>npm shrinkwrap</code> is intended to lock down your dependencies for
137 production use, <code>devDependencies</code> will not be included unless you
138 explicitly set the <code>--dev</code> flag when you run <code>npm shrinkwrap</code>. If
139 installed <code>devDependencies</code> are excluded, then npm will print a
140 warning. If you want them to be installed with your module by
141 default, please consider adding them to <code>dependencies</code> instead.</p>
142 <p>If shrinkwrapped package A depends on shrinkwrapped package B, B's
143 shrinkwrap will not be used as part of the installation of A. However,
144 because A's shrinkwrap is constructed from a valid installation of B
145 and recursively specifies all dependencies, the contents of B's
146 shrinkwrap will implicitly be included in A's shrinkwrap.</p>
147 <h3 id="caveats">Caveats</h3>
148 <p>If you wish to lock down the specific bytes included in a package, for
149 example to have 100% confidence in being able to reproduce a
150 deployment or build, then you ought to check your dependencies into
151 source control, or pursue some other mechanism that can verify
152 contents rather than versions.</p>
153 <h2 id="see-also">SEE ALSO</h2>
155 <li><a href="../cli/npm-install.html">npm-install(1)</a></li>
156 <li><a href="../files/package.json.html">package.json(5)</a></li>
157 <li><a href="../cli/npm-ls.html">npm-ls(1)</a></li>
162 <table border=0 cellspacing=0 cellpadding=0 id=npmlogo>
163 <tr><td style="width:180px;height:10px;background:rgb(237,127,127)" colspan=18> </td></tr>
164 <tr><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)"> </td><td style="width:40px;height:10px;background:#fff" colspan=4> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4> </td><td style="width:40px;height:10px;background:#fff" colspan=4> </td><td rowspan=4 style="width:10px;height:10px;background:rgb(237,127,127)"> </td><td colspan=6 style="width:60px;height:10px;background:#fff"> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=4> </td></tr>
165 <tr><td colspan=2 style="width:20px;height:30px;background:#fff" rowspan=3> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3> </td><td style="width:10px;height:10px;background:#fff" rowspan=3> </td><td style="width:20px;height:10px;background:#fff" rowspan=4 colspan=2> </td><td style="width:10px;height:20px;background:rgb(237,127,127)" rowspan=2> </td><td style="width:10px;height:10px;background:#fff" rowspan=3> </td><td style="width:20px;height:10px;background:#fff" rowspan=3 colspan=2> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3> </td><td style="width:10px;height:10px;background:#fff" rowspan=3> </td><td style="width:10px;height:10px;background:rgb(237,127,127)" rowspan=3> </td></tr>
166 <tr><td style="width:10px;height:10px;background:#fff" rowspan=2> </td></tr>
167 <tr><td style="width:10px;height:10px;background:#fff"> </td></tr>
168 <tr><td style="width:60px;height:10px;background:rgb(237,127,127)" colspan=6> </td><td colspan=10 style="width:10px;height:10px;background:rgb(237,127,127)"> </td></tr>
169 <tr><td colspan=5 style="width:50px;height:10px;background:#fff"> </td><td style="width:40px;height:10px;background:rgb(237,127,127)" colspan=4> </td><td style="width:90px;height:10px;background:#fff" colspan=9> </td></tr>
171 <p id="footer">npm-shrinkwrap — npm@2.15.11</p>