npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm install Should Only Install Exact Versions Unless Explicitly Overridden

IMO npm install should only install exact packages unless explicitly told not to via a flag e.g. --allow-package-upgrades.

I would also like to reply to what was said here: https://github.com/npm/npm/issues/21206#issuecomment-404577187 since that issue has now been locked.

Using package-lock.json is not going to fix this problem. Many times, I’ve had to blow away a lockfile and recreate it because of merge conflicts (I use yarn but I imagine it’s the same). Also, it does not address the scenario where someone starts a brand new project during the window when a compromised package exists on a registry.


As I said over there, your suggestion does not have the intended result. Transitive dependencies will continue to have semver ranges for a very very long time and there’s close to nothing you can do about that one.

As far as your response to package-lock.json: please note that this sort of “blowing away” is unnecessary in npm. Specially after using https://npm.im/npm-merge-driver to install a merge driver (which eventually npm will do automatically).

The issue around security and malicious patch releases is being addressed separately, through a number of security-related features that are coming over the course of the next year.