Npm: add support for overrides
Problem
npm cli
supports the shrinkwrap
command that locks dependencies considering overrides
https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides .
The overrides
might be used by the users to redefine the version of the nested dependency. It helps to fix security vulnerabilities and to solve the issue of the weak maintenance of package's dependencies.
In order to properly support overrides
we need to set the attribute _hasShrinkwrap
to true
in the package's version metadata.
Solution
When the command npm shrinkwrap
is executed than it creates the file npm-shrinkwrap.json
within the package. This file is sent in the package tarball together with other files.
We could check the existence of npm-shrinkwrap.json
asynchronously (during a background job) when the new package is uploaded and save the value in the npm metadata package_json
field.
Afterwards when we generate package's metadata, we could read this value.