Verdaccio: package-lock.json - resolved field

Created on 21 Jan 2018 · 3Comments · Source: verdaccio/verdaccio

I am new to node js and using verdaccio. Whenever I install a new module, entries are added to package-lock.json file with resolved field for each module pointing to URL starting with http://localhost:4873. Is it right to have pointing it to localhost rather than the actual npmjs repository? I also believe that the package-lock.json need to committed to git. Other developers may have problem. I am confused whether to rename the repository link manually. Please clarify.

wontfix outdated question npm

Source

aprasadh

👍1

Most helpful comment

Hi @aprasadh, first of all, thanks for using Verdaccio.

I would recommend some articles then you will have a better picture of how the package-lock file works.

https://jpospisil.com/2017/06/02/understanding-lock-files-in-npm-5.html

You might have noticed that the resolved field is still present in the file pointing to a specific URI. Note however that NPM is now able to figure out (based on the settings in .npmrc) that the machine is configured to use a different registry and if so, it will transparently use it instead. This plays well with the integrity field because it now doesn’t matter from where the package came from as long as it matches the signature.

This means, ifnpm finds in your local project a .npmrc file with the following content will use that domain to resolve the dependencies.

registry=http://registry.npmjs.org/

Since this merely a npm issue, I cannot do anything else for you than provide you some links, but, if you are using verdaccio for local development, you might keep .npmrc file as I described above and only for you as follows (do not commit it of course)

registry=http://localhost:4873/

A third option might be resolving the registry via CLI, but, it might be a bit verbose.

npm install --registry http://localhost:4873/

If you are working in a company, perhaps you might have a shared verdaccio instance accesible for everybody either as a node process or using Docker (http://www.verdaccio.org/docs/en/docker.html)

All 3 comments

Hi @aprasadh, first of all, thanks for using Verdaccio.

I would recommend some articles then you will have a better picture of how the package-lock file works.

https://jpospisil.com/2017/06/02/understanding-lock-files-in-npm-5.html

You might have noticed that the resolved field is still present in the file pointing to a specific URI. Note however that NPM is now able to figure out (based on the settings in .npmrc) that the machine is configured to use a different registry and if so, it will transparently use it instead. This plays well with the integrity field because it now doesn’t matter from where the package came from as long as it matches the signature.

This means, ifnpm finds in your local project a .npmrc file with the following content will use that domain to resolve the dependencies.

registry=http://registry.npmjs.org/

registry=http://localhost:4873/

A third option might be resolving the registry via CLI, but, it might be a bit verbose.

npm install --registry http://localhost:4873/

If you are working in a company, perhaps you might have a shared verdaccio instance accesible for everybody either as a node process or using Docker (http://www.verdaccio.org/docs/en/docker.html)

Related issues

How to send an email on publish

kopax · 3Comments

Verdaccio doesn't meet npm spec. ls-collaborators

MarkLyck · 4Comments

Broken links when using reverse proxy with prefix

kenske · 4Comments

package-lock.json - Resolved field points to npmjs registry

dlarr · 3Comments

Suggestion to state the compatibility with rlidwka/sinopia

lope · 3Comments