Package overrides #27
Conversation
accepted/0000-package-overrides.md
Outdated
|
|
||
| ## Implementation | ||
|
|
||
| In order to do this, the npm installer will need to read in an overrides section from `package.json`. This will have a simple format such as `overrides: { 'foo': '1.2.3' }`. These values will need to be used at the end of the tree-building process to select the final version. (Is there also a pruning element to this?) |
There was a problem hiding this comment.
What if i want to override one package with another - like underscore for lodash, etc?
It would be ideal if the RHS of this could also be a full npm install argument - ie, package name/url + @ + version.
There was a problem hiding this comment.
You would use package aliases, which are coming soon, so: "undescore": "npm:lodash"
Wouldn't locking the dep at a certain version and running This proposal seems similar to the But a bigger concern I have is that this seems like a solution for a symptom of the problem but doesn't attack the real problem. The real problem is that there's currently no reliable way for package maintainers to actually mark that their package should only have a single version in a consumer's dep tree. Once that is solved, I think npm can enforce it when a consumer attempts to install it and give the consumer an option on how to handle the mismatched versions, using |
|
@mkay581 Overrides is solving a different problem! We do have a Singleton Package RFC for the "larger" problem you mention -- but overrides can be used for things like updating deep dependencies with security-patched forks, or different versions with important patches (or preventing a semver update from updating to a broken version). These are some of the examples, but ultimately, this is orthogonal to singletons, which will benefit from this, but this is not the primary purpose at all. |
No description provided.