I have a package in a private registry that I want to use in a couple of node projects.
This package contains some static files used by other apps.
In each project I want running npm install to pull the latest version of my package from my private registry.
This way, if the package changes I don’t need to edit each and every one of node js apps, instead I can just re-run the builds on the CI and I always get the latest version of said static files.
I tried changing version under dependencies to * and latest but regardless of what I put in there, npm ONLY updates the package if I run npm update @scope/packagename.
Obviously running this command modifies package.json and means that I then need to get my CI to commit back to my repo which I am not a massive fan of.
How can I make it so a simple npm install will always bring down latest version rather than specific one from package-lock.json?
The behavior you describe is the whole point of
package-lock.json, no? To sidestep it, I think you’d pretty much have to add the lock file to your.gitignore@Brian I do want the lock file behaviour for all packages except ONE, though. Any way to exempt this package from the lock file?
No, not that I know of. Except — hmm. Wild guess here: What if you remove your particular package from
package-lock.jsonafter runningnpm installand commit that? Or — what are you using for CI? You could maybe insertnpm update @scope/packagenamebefore thenpm installstep. I wouldn’t recommend either of these in general due to the glaring security problems, except that it’s a private registry with an internal package that you’re also writing. That lowers the security vulnerability just a little bit 🙂