I've found package-lock.json to be generally frustrating. Like, I can't tell if npm has installed from the package-lock or not. Also, package-lock.json
only applies to npm install when you've checked it out, not npm install <module_name>
but shrinkwrap does do that. So, that is why I have shrinkwrap in scuttlebot-release
you can do npm install scuttlebot-release@version
and actually get a known working version. (I'd recommend that anyone embedding scuttlebot in their application uses scuttlebot-release
as is suggested in scuttlebot readme.
The other day, because of the unclarity of how npm handled package-lock I actually wrote my own install-from-shrinkwrap script, to install patchfoo. npm-install-shrinkwrap
Because of other problems, like noisy diffs, I'd rather just put shrinkwraps on the couple of modules that you might need to use independently, as -release
or something. package-lock makes more sense for applications, though.