add _hasShrinkwrap to npm package metadata #3403
morriswinkler
started this conversation in
Ideas
Replies: 1 comment
-
|
Hi, are there any news on this idea? I am using verdaccio as proxy and want to use npm shrinkwrap due to current security concerns via dependencies. Are there any future plans how to handle package metadata ? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Currently packages that provide a npm-shinrkwrap.json file that are published to verdaccio will not have the required
_hasShrinkwrapmatedata field set.In which case npm install will not honour the shrinkwraped file.
see npm issue : npm/cli#4583
The example I used to test that is:
from npm/cli#5141
If you run
npm install && npm ls momentyou get something like:While if you install that from the npm registry moment will be pinned by the npm-shrinkwrap.json inside @sap/logging to
2.29.2It would probably be good to handle the metadata generation similar to the npm registry.
As a reference the npm metadata documentation:
https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md
Beta Was this translation helpful? Give feedback.
All reactions