npm-shrinkwrap

Generate a npm-shrinkwrap.json file from the current package-lock.json

$ npm shrinkwrap

$ npm shrinkwrap --production

$ npm shrinkwrap --force

npm shrinkwrap [<options>]
This command is executed as an npm subcommand. It typically does not accept direct arguments after the subcommand itself.

None
    The npm shrinkwrap command itself does not accept any specific options or arguments directly. Its behavior is primarily determined by the current state of node_modules and package.json, or by general npm configuration settings.

npm-shrinkwrap is an npm command that creates an npm-shrinkwrap.json file in your project's root directory. This file records the exact version of every dependency and sub-dependency used by your project at the time the shrinkwrap file was created. The primary goal is to ensure reproducible installations across different environments.

When npm install is run in a project containing npm-shrinkwrap.json, it will use the versions specified in that file rather than resolving new versions from package.json. While npm-shrinkwrap.json was once the primary mechanism for locking dependencies, it has largely been superseded by package-lock.json since npm@5.

However, npm-shrinkwrap.json still serves a specific purpose, particularly when publishing a package where you want its consumers to install the exact dependency tree you've tested, rather than allowing their package-lock.json to override it.

Limitations and Caveats:
npm-shrinkwrap.json is largely superseded by package-lock.json for application development.
It is only recommended if you need to enforce a specific dependency tree for consumers of your published package.
Can lead to confusion or conflicts if both npm-shrinkwrap.json and package-lock.json exist, as npm-shrinkwrap.json takes precedence.
Does not currently support npm workspaces for locking dependencies across projects within a monorepo.

npm-shrinkwrap.json is typically used for published packages where you want to dictate the exact dependency tree for consumers. When publishing, if npm-shrinkwrap.json exists, it will be included in the published package, overriding any package-lock.json a consumer might have for the same dependencies.

package-lock.json is primarily for applications to ensure reproducible installs for developers and CI/CD, and it is generally not published with a library.

The npm shrinkwrap command creates the npm-shrinkwrap.json file based on the current node_modules tree. npm install then uses this file to perform installations, ensuring that the exact versions specified in the shrinkwrap file are installed.

If both npm-shrinkwrap.json and package-lock.json are present in a project, npm-shrinkwrap.json takes precedence for dependency resolution during npm install.

The npm shrinkwrap command was introduced in npm@2 to provide deterministic dependency installations, addressing the "dependency hell" problem where different installations could lead to varying versions of sub-dependencies. It became the recommended way to lock dependencies for applications, ensuring that builds were reproducible.

However, with npm@5, package-lock.json was introduced as the default and preferred mechanism, generated automatically by npm install. package-lock.json addressed some limitations of npm-shrinkwrap.json, such as better diffing and more consistent integration with package.json for all installations.

Today, npm-shrinkwrap.json primarily serves a specific, advanced use case for package publishers who wish to strictly control the dependency tree of their published package, explicitly overriding potential package-lock.json files on the consumer side.

npm-install(1), npm-pack(1), npm-config(1), npm-package-lock.json(5), npm-shrinkwrap.json(5)