If you are looking for a solution to pin a dependency of a dependency, you can use npm-force-resolutions.
Let’s see the use case and how to use it.
Version management problem
To make exactly the same artifact, we need to pin dependency versions used by our application. Not all modules follow the version rule which is the following format.
xxx.yyy.zzz
Increment xxx means that the module introduces breaking changes.
Increment yyy means that the module adds new features.
Increment zzz means that the module fixes bugs.
Sub-dependency can introduce a breaking change
We can just remove the caret mark “^” to pin the dependency version directly used in our application. However, we can’t pin the dependencies of a dependency. Let’s call them sub-dependencies.
If some modules don’t follow the rule, our application can suddenly break because many modules use caret to get the possible latest version. It means even if we pin the direct dependencies, sub-dependencies can download the latest version which might introduce breaking changes.
License problem
Another case is the license problem. An old version is xxx license but the latest version is yyy license. We can use xxx license but not yyy for our business. In this case, we need to pin the version.
How to pin the version
npm-force-resolutions offers a simple solution. We just need to add preinstall and resolutions into a package.json file.
"scripts": {
"something": "do something",
"preinstall": "npx npm-force-resolutions"
},
"resolutions": {
"abc-module": "2.3.4"
}When npm install is executed for the module, preinstall is executed before the install. It downloads the fixed version specified in the resolutions part.
Comments