This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn's selective dependency resolutions, but without having to migrate to yarn.
The use case for this is when there is a security vulnerability and you MUST update a nested dependency otherwise your project would be vulnerable. But this should only be used as a last resource, you should first update your top-level dependencies and file an issue for them to update the vulnerable sub-dependencies (npm ls <vulnerable dependency>
can help you with that).
First add a field resolutions
with the dependency version you want to fix to your package.json
, for example:
"resolutions": { "hoek": "4.2.1" }
Then add npm-force-resolutions to the preinstall script so that it patches the package-lock
file before every npm install
you run:
"scripts": { "preinstall": "npx npm-force-resolutions" }
Now just run npm install
as you would normally do:
npm install
To confirm that the right version was installed, use:
npm ls hoek
If your package-lock changes, you may need to run the steps above again.
To build the project from source you'll need to install clojure. Then you can run:
npm install npm run build