This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn's selective dependency resolutions, but without having to migrate to yarn.
The use case for this is when there is a security vulnerability and you MUST update a nested dependency otherwise your project would be vulnerable. But this should only be used as a last resource, you should first update your top-level dependencies and file an issue for them to update the vulnerable sub-dependencies (npm ls <vulnerable dependency> can help you with that).
First add a field resolutions with the dependency version you want to fix to your package.json, for example:
"resolutions": {
"hoek": "4.2.1"
}Then add npm-force-resolutions to the preinstall script so that it patches the package-lock file before every npm install you run:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}Now just run npm install as you would normally do:
npm install
To confirm that the right version was installed, use:
npm ls hoek
If your package-lock changes, you may need to run the steps above again.
To build the project from source you'll need to install clojure. Then you can run:
npm install
npm run build
