Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Lock-down dependencies with npm shrinkwrap
See original GitHub issueThe npm shrinkwrap feature allows locking-down the package dependencies even when installed as an npm package and not manually from source. It is generally recommended to enable this for top-level apps like daemons and CLI tools, but not for libraries intended to be used as part of a larger app.
Other than ensuring a consistent environment and preventing dependency issues, locking down to specific versions also has the security advantage of package updates having to be explicit. To give a recent example, automatic updates of packages down the dependency tree helped enable the Copay hack just a few months ago. With npm shrinkwrap, the malicious version of the event-stream dependency wouldn’t be installed unless the copay developers explicitly updated their deps inside the time window where event-stream was vulnerable – which is still possible, but much less likely.
To enable shrinkwrap, just run npm shrinkwrap, which will rename the package-lock.json file to npm-shrinkwrap.json, and check that in.
There’s some more information on shrinkwrap on the npm blog (from the web archive, appears to be unavailable on the website for some reason).
Issue Analytics
- State:
- Created 5 years ago
- Comments:6 (6 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Ah very cool. Thanks for the info, as always 😃
https://www.npmjs.com/package/btc-rpc-explorer
Awesome! I’ll send a PR to update the installation instructions 😃