safe-shrinkwrap: for all your shrinkwrapping needs

One of the challenges that we have had in the recent past at work is with dependencies that don’t lock down their dependencies well. A lot of this probably rises from a misunderstanding of how ^ works in semver.

This has caused at least one major outage of our build system as a breaking change disguised as a minor change slipped through and blew up everything up. It was pretty ugly and led us to start shrinkwrapping our dependencies.

Shrinkwrap wasn’t really designed to work with dev dependencies. It works... mostly. But maintaining shrinkwrapped devDependencies is no walk in the park. We had to though because of the particular packages that were breaking our builds.

This works... but there is another problem that is introduced by doing that.

OS Specific dependencies.

We do most of our development on OS X boxes, and somee of the modules we use depend on modules like fsevents that are OS specific. Which breaks our Linux build servers if those dependencies make it into our npm-shrinkwrap.json file.

safe-shrinkwrap corrects that by parsing your node_modules to find OS specific dependencies and removing them from your npm-shrinkwrap.json file.

Is this perfect? Nope. But it at least lets us lock down our dependencies in a way that keeps our builds running and makes it simple to keep our dev dependencies locked down. Hopefully it helps you too.

Published: 2 May 2016 | Tags: npm , node , shrinkwrap , dependencies