npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

lockdown

v0.0.8-dev

Published

Lock your node.js app to specific versions (and checksums) of dependencies.

Downloads

251

Readme

npm-lockdown

Put your dependencies on lockdown.

lockdown

What's this?

NPM Lockdown is a tool that locks your node.js app to specific versions of dependencies... So that you can:

  1. know that the code you develop against is what you test and deploy
  2. npm install and get the same code, every time.
  3. not have to copy all of your dependencies into your project
  4. not have to stand up a private npm repository to solve this problem.

Who is this for?

Node.JS application developers, but not library authors. Stuff published in npm as libraries probably wouldn't be interested.

Why Care?

Even if you express verbatim versions in your package.json file, you're still vulnerable to your code breaking at any time. This can happen if a dependency of a project you depend on with a specific version itself depends on another packages with a version range.

How can other people accidentally or intentionally break your node.js app? Well, they might...

  • ... push a new version that no longer supports your preferred version of node.js.
  • ... fix a subtle bug that you actually depend on.
  • ... accidentally introduce a subtle bug.
  • ... be having a bad day.

And, any author at any time can overwrite the package version they have published so one under-thought npm publish -f can mean a subtle bug that steals days of your week.

Usage!

npm install --save [email protected]
./node_modules/.bin/lockdown-relock

npm-lockdown is easy to get started with. It generates a single file that lists the versions and check-sums of the software you depend on, so any time something changes out from under you, npm install will fail and tell you what package has changed.

One Time Project Setup

  1. npm install the version of lockdown you want: npm install --save lockdown
  2. add a line to your package.json file: "scripts": { "preinstall": "lockdown" }
  3. generate a lockdown.json: node_modules/.bin/lockdown-relock
  4. commit: git add package.json lockdown.json && git commit -m "be safe"

Adding new modules

  1. npm install the specific dependencies of your app npm install --save [email protected]
  2. re-generate your lockdown.json: node_modules/.bin/lockdown-relock
  3. commit: git add package.json lockdown.json && git commit -m "be safe"

Changing dependencies once locked down

You update your dependencies explicitly, relock, and commit:

npm install --save [email protected]
node_modules/.bin/lockdown-relock
git add lockdown.json package.json
git commit -m "move to foo v1.2.3"

done!

Using an npm mirror

You can fetch resources from an npm mirror by specifying the NPM_CONFIG_REGISTRY environment variable when invoking npm install. If NPM_CONFIG_REGISTRY is not specified, http://registry.npmjs.org will be used.

NPM_CONFIG_REGISTRY=http://registry.npmjs.eu/ npm install

Notes:

  • You should use the latest stable version of lockdown, find it from the npm registry

Installing dependencies once locked down

npm install

Related Tools

npm shrinkwrap - NPM itself has a feature called "shrinkwrap" that

locks down the versions of a package's dependencies so that you can control exactly which versions of each dependency will be used when your package is installed.

At present (as of npm v1.1.33), the implementation of shrinkwrap has a couple flaws which make it unusable for certain applications:

  1. No checksums! NPM shrinkwrap does not guarantee bit-wise equality of the installed dependencies, so if an upstream server or author decides to change the contents of version 1.2.3 of foo, you'll install something different than you intended without knowing.
  2. Does not play nice with optionalDependencies - If you "shrinkwrap" your app and you have an installed dep that is optional, the dependency is no longer optional. This might not be what you want.

NOTE: you can combine lockdown with shrinkwrap just fine. If all you care about is #1 above.

The path forward is to build checksums into shrinkwrap and kick lockdown to the curb, but until then, lockdown solves some problems. (@izs is interested in patches).

npm-seal - Solves the same problem as lockdown in a very different way. Because seal is built to be used in concert with shrinkwrap, it suffers from the optionalDependencies issue described above.