{"id":13483314,"url":"https://github.com/uber-archive/npm-shrinkwrap","last_synced_at":"2025-03-27T14:31:13.396Z","repository":{"id":15000285,"uuid":"17725723","full_name":"uber-archive/npm-shrinkwrap","owner":"uber-archive","description":"A consistent shrinkwrap tool","archived":true,"fork":false,"pushed_at":"2020-07-07T19:00:30.000Z","size":138,"stargazers_count":775,"open_issues_count":47,"forks_count":47,"subscribers_count":2199,"default_branch":"master","last_synced_at":"2024-05-23T09:59:21.159Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/uber-archive.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-03-13T20:56:02.000Z","updated_at":"2023-08-19T19:12:26.000Z","dependencies_parsed_at":"2022-09-01T23:24:22.252Z","dependency_job_id":null,"html_url":"https://github.com/uber-archive/npm-shrinkwrap","commit_stats":null,"previous_names":["uber/npm-shrinkwrap"],"tags_count":41,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uber-archive%2Fnpm-shrinkwrap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uber-archive%2Fnpm-shrinkwrap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uber-archive%2Fnpm-shrinkwrap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/uber-archive%2Fnpm-shrinkwrap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/uber-archive","download_url":"https://codeload.github.com/uber-archive/npm-shrinkwrap/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245863062,"owners_count":20684780,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T17:01:09.991Z","updated_at":"2025-03-27T14:31:12.916Z","avatar_url":"https://github.com/uber-archive.png","language":"JavaScript","funding_links":[],"categories":["Packages","JavaScript"],"sub_categories":["Other"],"readme":"# npm-shrinkwrap\n\n(This project is deprecated and not maintained.)\n\nA consistent shrinkwrap tool **Note: npm \u003e= 3 is currently not supported.**\n\n## Usage\n\n`$ npm-shrinkwrap`\n\nThis runs shrinkwrap, which verifies your package.json \u0026\n node_modules tree are in sync. If they are it runs shrinkwrap\n then fixes the resolved fields and trims from fields\n\nWhen you run `npm-shrinkwrap` it will either:\n\n - fail because your package.json \u0026 node_modules disagree, i.e.\n you installed something without `--save` or hand edited your\n package.json\n - succeed, and add all top level dependencies to your\n npm-shrinkwrap.json file and then runs `npm-shrinkwrap sync`\n which writes the npm-shrinkwrap.json back into node_modules\n\n## Motivation\n\n### Verify local correctness\n\nWe need to verify that `package.json`, `npm-shrinkwrap.json` and\n `node_modules` all have the same content.\n\nCurrently npm verifies most things but doesn't verify git\n completely.\n\nThe edge case npm doesn't handle is if you change the tag in\n your package.json. npm happily says that the dependency in\n your node_modules tree is valid regardless of what tag it is.\n\n### Consistently set a `resolved` field.\n\nNPM shrinkwrap serializes your node_modules folder. Depending\n on whether you installed a module from cache or not it will\n either have or not have a resolved field.\n\n`npm-shrinkwrap` will put a `resolved` field in for everything\n in your shrinkwrap.\n\n### Reduce diff churn\n\nThere are a few tricks to ensuring there is no unneeded churn\n in the output of `npm shrinkwrap`.\n\nThis first is to ensure you install with `npm cache clean` so\n that an `npm ls` output is going to consistently give you the\n `resolved` and `from` fields.\n\nThe second is to just delete all `from` fields from the\n generated shrinkwrap file since they change a lot but are\n never used. However you can only delete some `from` fields,\n not all.\n\n### Human readable `diff`\n\nWhen you run shrinkwrap and check it into git you have an\n unreadable git diff.\n\n`npm-shrinkwrap` comes with an `npm-shrinkwrap diff` command.\n\n```sh\nnpm-shrinkwrap diff master HEAD\nnpm-shrinkwrap diff HEAD npm-shrinkwrap.json --short\n```\n\nYou can use this command to print out a readable context\n specific diff of your shrinkwrap changes.\n\n### Custom shrinkwrap validators\n\n`npm-shrinkwrap` can be programmatically configured with an\n array of `validators`.\n\nThese `validators` run over every node in the shrinkwrap file\n and can do assertions.\n\nUseful assertions are things like assertion all dependencies\n point at your private registry instead of the public one.\n\n## Example\n\n```js\nvar npmShrinkwrap = require(\"npm-shrinkwrap\");\n\nnpmShrinkwrap({\n dirname: process.cwd()\n}, function (err, optionalWarnings) {\n if (err) {\n throw err;\n }\n\n optionalWarnings.forEach(function (err) {\n console.warn(err.message)\n })\n\n console.log(\"wrote npm-shrinkwrap.json\")\n})\n```\n\n## Algorithm\n\nnpm-shrinkwrap algorithm\n\n - run `npm ls` to verify that node_modules \u0026 package.json\n agree.\n\n - run `verifyGit()` which has a similar algorithm to\n `npm ls` and will verify that node_modules \u0026 package.json\n agree for all git links.\n\n - read the old `npm-shrinkwrap.json` into memory\n\n - run `npm shrinkwrap`\n\n - copy over excess non-standard keys from old shrinkwrap\n into new shrinkwrap and write new shrinkwrap with extra\n keys to disk.\n\n - run `setResolved()` which will ensure that the new\n npm-shrinkwrap.json has a `\"resolved\"` field for every\n package and writes it to disk.\n\n - run `trimFrom()` which normalizes or removes the `\"from\"`\n field from the new npm-shrinkwrap.json. It also sorts\n the new npm-shrinkwrap.json deterministically then\n writes that to disk\n\n - run `trimNested()` which will trim any changes in the\n npm-shrinkwrap.json to dependencies at depth \u003e=1. i.e.\n any changes to nested dependencies without changes to\n the direct parent dependency just get deleted\n\n - run `sync()` to the new `npm-shrinkwrap.json` back into\n the `node_modules` folder\n\n\nnpm-shrinkwrap NOTES:\n\n - `verifyGit()` only has a depth of 0, where as `npm ls`\n has depth infinity.\n\n - `verifyGit()` is only sound for git tags. This means that\n for non git tags it gives warnings / errors instead.\n\n - `trimFrom()` also sorts and rewrites the package.json\n for consistency\n\n - By default, the npm-shrinkwrap algorithm does not dedupe\n nested dependencies. This means that the shrinkwrap is\n closer to the installed dependencies by default. If this\n is not desired `--keepNested=false` can be passed to the\n shrinkwrap cli\n\n## Cli Documentation\n\n### `npm-shrinkwrap [options]`\n\nVerifies your `package.json` and `node_modules` are in sync.\n Then runs `npm shrinkwrap` and cleans up the\n `npm-shrinkwrap.json` file to be consistent.\n\nBasically like `npm shrinkwrap` but better\n\n```\nOptions:\n --dirname sets the directory location of the package.json\n defaults to `process.cwd()`.\n --keep-nested If set, will not remove nested changes.\n --warnOnNotSemver If set, will downgrade invalid semver errors\n to warnings\n --dev If set, will shrinkwrap dev dependencies\n --silent If set, will be silent.\n```\n\n#### `npm-shrinkwrap --help`\n\nPrints this message\n\n#### `npm-shrinkwrap sync`\n\nSyncs your `npm-shrinkwrap.json` file into the `node_modules`\n directory.\n\nThis will ensure that your local `node_modules` matches the\n `npm-shrinkwrap.json` file verbatim. Any excess modules in\n your node_modules folder will be removed if they are not in\n the `npm-shrinkwrap.json` file.\n\nOptions:\n --dirname sets the directory of the npm-shrinkwrap.json\n\n - `--dirname` defaults to `process.cwd()`\n\n#### `npm-shrinkwrap install`\n\nWill write a `shrinkwrap` script to your `package.json` file.\n\n```json\n{\n \"scripts\": {\n \"shrinkwrap\": \"npm-shrinkwrap\"\n }\n}\n```\n\nOptions:\n --dirname sets the directory location of the package.json\n\n#### `npm-shrinkwrap diff [OldShaOrFile] [NewShaOrfile]`\n\nThis will show a human readable for the shrinkwrap file.\n\nYou can pass it either a path to a file or a git shaism.\n\nExample:\n\n```\nnpm-shrinkwrap diff HEAD npm-shrinkwrap.json\nnpm-shrinkwrap diff origin/master HEAD\n```\n\n```\nOptions:\n --depth configure the depth at which it prints\n --short when set it will print add/remove tersely\n --dirname configure which folder to run within\n```\n\n - `--depth` defaults to `0`\n - `--short` defaults to `false`\n - `--dirname` defaults to `process.cwd()`\n\n## Installation\n\nFor usage with npm@2\n\n`npm install npm-shrinkwrap`\n\nFor usage with npm@1\n\n`npm install npm-shrinkwrap@100.x`\n\n**Note: npm \u003e= 3 is not supported.**\n\n## Tests\n\n`npm test`\n\n## Contributors\n\n - Raynos\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuber-archive%2Fnpm-shrinkwrap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fuber-archive%2Fnpm-shrinkwrap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fuber-archive%2Fnpm-shrinkwrap/lists"}