npm install Should Only Install Exact Versions Unless Explicitly Overridden

cli

(João Bragança) #1

IMO npm install should only install exact packages unless explicitly told not to via a flag e.g. --allow-package-upgrades.

I would also like to reply to what was said here: https://github.com/npm/npm/issues/21206#issuecomment-404577187 since that issue has now been locked.

Using package-lock.json is not going to fix this problem. Many times, I’ve had to blow away a lockfile and recreate it because of merge conflicts (I use yarn but I imagine it’s the same). Also, it does not address the scenario where someone starts a brand new project during the window when a compromised package exists on a registry.


(Kat Marchán) #2

As I said over there, your suggestion does not have the intended result. Transitive dependencies will continue to have semver ranges for a very very long time and there’s close to nothing you can do about that one.

As far as your response to package-lock.json: please note that this sort of “blowing away” is unnecessary in npm. Specially after using https://npm.im/npm-merge-driver to install a merge driver (which eventually npm will do automatically).

The issue around security and malicious patch releases is being addressed separately, through a number of security-related features that are coming over the course of the next year.