A few days ago I was trying to install a project’s dependencies with a simple npm install, but in the instructions I was given there was an extra step to manually install one additional package. When I checked package.json, the package was there… So, what was going on!?

After searching for a while, it turns out that a previous developer used npm shrinkwrap “to predownload the packages” (or something like that, from what he said). It turns out that this command “freezes” a list of packages with its current version, so next time you do a npm install you will have the exact same dependencies versions, even if you’re using imprecise version specification in your package.json. It does this by creating a npm-shrinkwrap.json file next to your package.json (similar to a pip freeze but it also affects npm install). The problem is that once you have this file, package.json is ignored, and even if you add a new package it will not install.

So, while this is good for reproducibility of the environments, when you need to update you package list, you also need to update npm-shrinkwrap.json file. So, the steps are:

$ npm install my_new_package --save
$ npm shrinkwrap

Or, to update:

$ npm update
$ npm shrinkwrap

If you’re dependencies are screwed up like it happened to me, the easiest way to clean up the mess is:

$ rm -rf node_modules
$ npm install
$ npm shrinkwrap