|
| 1 | +--- |
| 2 | +title: Shrinkwrap HOWTO |
| 3 | +tags: |
| 4 | + - help |
| 5 | + - shrinkwrap |
| 6 | +devOnly: true |
| 7 | +section: Development |
| 8 | +--- |
| 9 | + |
| 10 | +<strong>`npm shrinkwrap` is a mechanism to lock dependency versions in order to ensure repeatable builds.</strong> |
| 11 | + |
| 12 | +"shrinkwrap" should be thought of as a deployment tool, not a developer tool. Its purpose is to lock dependency versions at a point in time so future rebuilds are repeatable, e.g. in a release branch. |
| 13 | + |
| 14 | +## Usage |
| 15 | + |
| 16 | +### 1. To shrinkwrap a release branch: |
| 17 | +``` |
| 18 | +gulp clean |
| 19 | +npm install --production |
| 20 | +npm shrinkwrap |
| 21 | +git add npm-shrinkwrap.json |
| 22 | +git commit |
| 23 | +``` |
| 24 | + |
| 25 | +It is important that you do not shrinkwrap developer dependencies. See below. |
| 26 | + |
| 27 | +### 2. To update a dependency after shinkwrapping. |
| 28 | + |
| 29 | +**Do not manually edit package.json.** |
| 30 | + |
| 31 | +Instead, use npm commands: |
| 32 | + |
| 33 | +- `npm install <package>@<specific_version>` |
| 34 | +- `npm remove <package>` |
| 35 | + |
| 36 | +## How "npm install" works when a shrinkwrap file is present |
| 37 | + |
| 38 | +`npm help shrinkwrap` describes it thusly: |
| 39 | + |
| 40 | +> The installation behavior is changed to: |
| 41 | +> |
| 42 | +> 1. The module tree described by the shrinkwrap is reproduced. This means reproducing the structure |
| 43 | +> described in the file, using the specific files referenced in "resolved" if available, falling |
| 44 | +> back to normal package resolution using "version" if one isn't |
| 45 | +> |
| 46 | +> 2. The tree is walked and any missing dependencies are installed in the usual fashion. |
| 47 | +
|
| 48 | +Notice that **the exact contents of the shrinkwrap file are reproduced** before normal "npm install" behavior kicks in. |
| 49 | + |
| 50 | +The Compass `gulpfile.js` runs the following command inside the "build" directory: |
| 51 | + |
| 52 | +``` |
| 53 | +npm install --production |
| 54 | +``` |
| 55 | + |
| 56 | +All packages in npm-shrinkwrap.json will be **installed blindly** before the `--production` flag is examined. Therefore, if the shrinkwrap file contains any developer dependencies, those will be blindly installed during this --production install. This can result in runtime failures. |
| 57 | + |
| 58 | +npm@3 as of 3.5.0 is not able to cleanly distinguish devDependencies from --production dependencies when creating the shrinkwrap file. (This is a side-effect on npm@3 package deduping). Thus, the safest way to create the shrinkwrap file is to `gulp clean`, `npm install --production`, then shrinkwrap. |
| 59 | + |
| 60 | +## References: |
| 61 | + |
| 62 | +- https://docs.npmjs.com/cli/shrinkwrap |
0 commit comments