So You Think You're Just Gonna npm Install? Think Again
Every wonder what would happen if you forgot to commit a lockfile with your package.json? Nothing good — read on to find out how to avoid this fate.
Join the DZone community and get the full member experience.Join For Free
We embraced the birth of package lockfiles with open arms, which introduced deterministic installations across different environments and enforced dependency expectations across team collaboration.
Life is good! Or so I thought… what would have happened had I slipped some changes into the project’s
package.json file but had forgotten to commit the lockfile alongside of it?
Both Yarn and npm act the same during dependency installation. When they detect an inconsistency between the project’s
package.json and the lockfile, they compensate for such changes based on the
package.jsonmanifest by installing different versions than those that were recorded in the lockfile.
This kind of situation can be hazardous for build and production environments as they could pull in unintended package versions and render the benefits of a lockfile null.
Luckily, there is a way to tell both Yarn and npm to adhere to a specified set of dependencies and their versions by referencing them from the lockfile. Any inconsistency will abort the installation. The command line should read as follows:
- If you’re using Yarn, run
yarn install --frozen-lockfile
- If you’re using npm run
I also wrote a complete 10 npm security best practices you should adopt in a post that includes a high-resolution printable PDF like the snippet you see below.
Published at DZone with permission of Liran Tal. See the original article here.
Opinions expressed by DZone contributors are their own.