NPM How to pin dependency version of a dependency

If you are looking for a solution to pin a dependency of a dependency, you can use npm-force-resolutions.
Let’s see the use case and how to use it.

Sponsored links

Version management problem

To make exactly the same artifact, we need to pin dependency versions used by our application. Not all modules follow the version rule which is the following format.

xxx.yyy.zzz

Increment xxx means that the module introduces breaking changes.
Increment yyy means that the module adds new features.
Increment zzz means that the module fixes bugs.

Sub-dependency can introduce a breaking change

We can just remove the caret mark “^” to pin the dependency version directly used in our application. However, we can’t pin the dependencies of a dependency. Let’s call them sub-dependencies.

If some modules don’t follow the rule, our application can suddenly break because many modules use caret to get the possible latest version. It means even if we pin the direct dependencies, sub-dependencies can download the latest version which might introduce breaking changes.

License problem

Another case is the license problem. An old version is xxx license but the latest version is yyy license. We can use xxx license but not yyy for our business. In this case, we need to pin the version.

How to pin the version

npm-force-resolutions offers a simple solution. We just need to add preinstall and resolutions into a package.json file.

"scripts": {
  "something": "do something",
  "preinstall": "npx npm-force-resolutions"
},
"resolutions": {
  "abc-module": "2.3.4"
}

When npm install is executed for the module, preinstall is executed before the install. It downloads the fixed version specified in the resolutions part.

Comments

Copied title and URL