Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[npm] Support lockfile version 3

See original GitHub issue

Since NPM version 7, the package-lock.json version 2 file now uses a packages field, and the dependencies field is duplicated for backwards compatibility.

It is possible to configure NPM to use a package-lock.json version 3, which omits the dependencies field to greatly reduce the size of the lock file. See https://docs.npmjs.com/cli/v8/using-npm/config#lockfile-version.

To support lockfile-version=3, patch-package must be able to interpret the packages field of the lock file.

Issue Analytics

State:
Created a year ago
Reactions:3
Comments:7

Top GitHub Comments

5reactions

iTonyYocommented, Dec 8, 2022

modify this file directly 👉🏻 /node_modules/patch-package/dist/getPackageResolution.js with code below. then apply a patch.

const lockfile = require(path_1.join(appPath, packageManager === "npm-shrinkwrap"
    ? "npm-shrinkwrap.json"
    : "package-lock.json"));

if (lockfile.lockfileVersion > 2) {
    return Object.entries(lockfile.packages).find(el => el[0].includes(packageDetails.name))[1].resolved;
}

const lockFileStack = [lockfile];
for (const name of packageDetails.packageNames.slice(0, -1)) {
    const child = lockFileStack[0].dependencies;
    if (child && name in child) {
        lockFileStack.push(child[name]);
    }
}

lockFileStack.reverse();

const relevantStackEntry = lockFileStack.find((entry) => entry.dependencies && packageDetails.name in entry.dependencies);

const pkg = relevantStackEntry.dependencies[packageDetails.name];
return pkg.resolved || pkg.from || pkg.version;

4reactions

anas10commented, Nov 15, 2022

I’ve opened a PR to solve this issue here: https://github.com/ds300/patch-package/pull/434 I’ve tested it locally and it works fine. I’ve made the change in a way that should make it compatible with all versions of lockfile.

Top Results From Across the Web

package-lock.json - npm Docs

3 : The lockfile version used by npm v7, without backwards compatibility affordances. This is used for the hidden lockfile at node_modules/.package-lock.json , ......

Is there any way to fix package-lock.json lockfileVersion so ...

1: The lockfile version used by npm v5 and v6. 2: The lockfile version used by npm v7, which is backwards compatible to...

Dependency scanning fails for npm if lockfileVersion equals 3

Dependency Scanning supports NPM projects that utilize lockfile version 3. Gitalab version. Tested on 14.10 and 15.0. Possible fixes. Add to ...

npm - Catching Up with Package Lockfile Changes in v7

The seventh version of npm is already published and arrives with ... with CLI versions supporting v1 lockfiles (for example, npm v5 &...

Ubuntu Manpage: package-lock.json - A manifestation of the ...

In contrast, npm help npm-shrinkwrap.json allows publication, ... 3: The lockfile version used by npm v7, without backwards compatibility affordances.