I've got a npm-shrinkwrap.json and a package.json in a git branch called "deployment".
On my servers, I fetch and merge this deployment branch from github. This ensures that my servers have the latest deployment version.
Because the node_modules binaries etc. are not being shipped, I need to run npm install or npm update on the server side too, after the project repository has been pulled from the server.
This is why I decided to use npm shrinkwrap. However, even when I have this npm-shrinkwrap.json in the main folder and run npm install, it still installs newer versions of submodules, even though the shrinkwrapped json file has locked these down. It seems like npm does not even look at the shrinkwrap file.
Could anyone explain why this happens, and how to resolve this situation?
This is part of package.json:
"dependencies" : {
"eventemitter2" : "0.4.9",
"after" : "0.4.1",
"express" : "2.5.9"
},
"devDependencies" : {
"mocha" : ">= 1.0.3 < 2",
"should" : ">= 0.6.3 < 1",
"request" : ">= 2.9.202 < 3",
"commander" : ">= 0.6.0 < 1"
},
Whereas npm-shrinkwrap.json is:
{
"name": "appname",
"version": "0.0.1",
"dependencies": {
"eventemitter2": {
"version": "0.4.9"
},
"after": {
"version": "0.4.1"
},
"express": {
"version": "2.5.9",
"dependencies": {
"connect": {
"version": "1.8.7",
"dependencies": {
"formidable": {
"version": "1.0.9"
}
}
},
"mime": {
"version": "1.2.4"
},
"qs": {
"version": "0.4.2"
},
"mkdirp": {
"version": "0.3.0"
}
}
},
"commander": {
"version": "0.6.0"
},
"should": {
"version": "0.6.3"
},
"request": {
"version": "2.9.202"
}
}
}
Yet, when I ran npm install it updated qs from version 0.4.2 to version 0.5.0. Also, it updated mime to 1.2.5. Why did it do this?
The npm install returned this:
qs@0.5.0 ./node_modules/express/node_modules/connect/node_modules/qs
mime@1.2.5 ./node_modules/express/node_modules/connect/node_modules/mime
Interestingly enough the shrinkwrap contains neither of these. I guess this is the problem. Now the question is why it did not contain these.
