I ran npm audit and it's warning me to update some of the packages. However the packages its warning me about, such as chokidar, is not listed in my package.json. So what does this mean? How do I perform an update if the package is not listed in the file.
It's not listed in your package.json because it is a nested dependency.
You can update it either by trying npm audit --fix or you use the package npm-force-resolutions.
How to use npm-force-resolutions:
First add a field resolutions with the dependency version you want to fix to your package.json, for example:
"resolutions": {
"hoek": "4.2.1"
}
Then add npm-force-resolutions to the preinstall script so that it patches the package-lock file before every npm install you run:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
Now just run npm install as you would normally do:
npm install
To confirm that the right version was installed, use:
npm ls hoek
If your package-lock changes, you may need to run the steps above again.
You can check which dependency is requiring the package that appears in the lock with npm ls command.
For instance for sqlite3 you can run:
npm ls sqlite3 --json
Related
There are some packages that I'd like to skip on build definition. I was wondering if there's any way to skip any specific npm packages on the build definition on ADO?
For example, if I want to ignore the npm package of #microsoft/applicationinsights-common, can I do something like below in the npm
install --ignore #microsoft/applicationinsights-common
There is no possiblity to ignore one specific npm package using npm install.
If you want to skip such npm packages, that are only needed for development, than in package.json move the development specific dependencies to devDependencies and use npm install --production command to install the packages that are defined in dependencies.
Does npm i -S <pkg/module> or yarn add <pkg/module> also runs the start script written in the package.json of that specific pkg/module?
No, it just installs the package recursively and add it to your package.json
https://docs.npmjs.com/cli/install for reference
The script postinstall is run after installation
https://docs.npmjs.com/misc/scripts for reference
How I can skip installing optional dependencies from package-lock.json by npm ci?
You can use npm ci --no-optional .
If npm still installs the optional package. Then try after removing package.lock.json and run the command again.
There was an error in NPM's implementation of npm ci --no-optional. It has been fixed in versions > 6.13.3 - maybe earlier versions as well, but I can only vouch for 6.13.4 and up.
I was facing this issue with CI workflow script and even "--no-optional" was not working
npm ci --no-optional
The above command only worked when I added the optional package as
"optionalDependencies": {
"fsevents": "^2.3.2"
}
in the package.json file
It's not a proper solution, rather an ugly one, but it helped me out. It looks like npm ci --no-optional doesn't work and probably never worked. But at the same time flag --production works. And if we afford mutating package.json (e.g. in a docker container) then...
So I wrote a simple script that:
reads package.json content
Object.assign(cfg.dependencies, cfg.devDependencies)
delete cfg.devDependencies
overwrites the initial package.json
So finally we have:
dependencies contains both normal & dev dependencies
devDependencies section is empty
optionalDependencies are intact
And when we run npm ci --production we got what we want - no optional dependencies (in my case cypress). Due to the fact that all these steps are performed inside of a docker container we can mutate package.json.
But I'm not sure that it'll help you too.
In order to make npm ci --no-optional skip/ignore an optional pacakge, it's important to understand how npm intracts with package.json and pacakge-lock.json.
npm install --no-optional (is only effective if pacakge-lock.json doesn't exists otherwise it would ignore --no-optional)*
npm ci --no-optional is only effective if pakcage-lock.json was already created with npm install --no-optional**.
* This means if you want to make an already installed package an optional, you can would have to
Add it "optionalDependencies": either manulally or through npm install pacakge-name --save-optional
Delete the pacakge-lock.json.
then run rm -rf node_modules/
Lastly run npm install --no-optional
Add this point npm ci --no-optional isn't suppose to install it.
** TIP: you could debug if a certian package is assigned as optional by running npm ls package-name
Note: This one the reason why its recommended to keep trak pacakge-lock.json with git repo of the project.
package.json
// ...
"dependencies": {
"my-local": "file:../local/my-local",
// other dependencies
},
// ...
I tried npm install, doesn't work. npm update my-local also doesn't seem to work, possibly because I don't iterate version for each small change I make? (early development stage)
Only reliable way I've found is to npm uninstall my-local and reinstall but it's very annoying.
Is there a better way?
You need another tool for that: https://www.npmjs.com/package/npm-check-updates. Install that with:
npm install -g npm-check-updates
Then:
ncu -u
npm install
the install is necessary as ncu just updates the package.json, not install anything.
I'm building a grunt javascript project with grunt, and I have a package.json file that looks something like:
{
... name, author, etc here ...
"dependencies": {
"grunt-html":"0.2.1"
}
}
I can run npm install to install grunt-html and this works just fine. But when I add new dependencies, all developers on the team must know to run npm install again. Is there a way to automatically install any packages that have not yet been installed? Should I just run npm install always to ensure I'm up to date?
Yes npm install is the easiest way IMO. Getting everyone familiar with the other npm commands makes managing deps easier as well. Such as:
npm ls to list out the currently installed modules.
Or the --save flag ie, npm install grunt-html --save to install and insert the package and version into your package.json.
npm prune to remove modules not included in your package.json.
Other ways to manage dependencies are to commit the node_modules folder in your repository to avoid other devs from having to run npm install. Or for more complex projects consider using npm shrinkwrap to lock down dependencies to specific versions: npm shrinkwrap docs.
I have not tried grunt-install-dependencies (https://github.com/ahutchings/grunt-install-dependencies), but it seems this may fullfill your needs. Just add the command install-dependencies as first task within your custom definfed grunt tasts, e.g.
grunt.registerTask('build', [ 'install-dependencies', 'useminPrepare', ... ]);