npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

NPM only lock some packages

We currently don’t use the package lock feature of NPM because we have many fast moving internal sub dependency repos and we want the packages requiring those builds to always use the latest version on rebuilds triggered by new versions of these dependency modules.

However, we keep losing time when external dependencies have broken builds because we have no locked versions file checked in. We get surprised when we get a bad version in our tree (we’re accepting all packages in the same major version) and then we have to make a new commit to force usage of a working version.

Is there a way to have the best of both worlds? We’d like to circumvent package locking for our own modules because we always want to use the latest and we can address breaking issues ourselves but we want to rely on locked versions for external packages so that new versions are verified by our build checks before being used in our dev builds.

Is this possible? Hopefully, I explained our dilemma well enough.