Home

npmshrinkwrapjson

npm-shrinkwrap.json, often referred to as npm-shrinkwrap.json or npm shrinkwrap, is a JSON manifest used by the Node.js package manager npm to lock a project’s dependencies to exact versions. It records the complete and exact dependency tree at a specific point in time, pinning each package to a precise version and source. The goal is to enable reproducible installs across different environments and over time, so that downstream developers and automated systems install the same dependency graph.

The file typically contains project metadata and a dependencies map. Each dependency entry includes fields such

Generation and usage: npm-shrinkwrap.json is created or updated by running the shrinkwrap command (npm shrinkwrap) in

Relation to other lock files: shrinkwrap predates the package-lock.json file and serves a similar purpose—ensuring deterministic

Limitations and best practices: shrinkwrap locks only the dependencies that exist at the time of generation.

as
version,
resolved,
and
integrity.
The
version
specifies
the
exact
package
version,
resolved
points
to
the
location
from
which
the
package
should
be
fetched
(often
a
registry
URL),
and
integrity
provides
a
Subresource
Integrity
hash
used
to
verify
package
contents.
Dependencies
can
in
turn
include
their
own
requires
and
nested
dependencies,
mirroring
the
resolved
tree
to
the
extent
necessary
for
reproducible
installations.
the
project
root.
The
resulting
file
is
usually
committed
to
version
control
so
that
other
developers,
continuous
integration
systems,
and
production
environments
install
the
same
dependency
graph.
When
a
shrinkwrap
file
is
present,
npm
install
uses
the
exact
versions
listed,
rather
than
resolving
new
versions
from
semver
ranges.
installs.
In
modern
npm
workflows,
package-lock.json
is
the
default
mechanism
for
locking
dependencies,
but
shrinkwrap
remains
available
for
projects
that
require
its
specific
semantics
or
for
publishing
packages
with
a
pre-defined
dependency
tree.
Updates
or
additions
require
regenerating
the
file.
It
is
commonly
used
for
libraries
targeting
reproducible
builds
in
organizations
and
for
projects
that
publish
to
npm
or
private
registries.