Npm dependency resolution in a corporate environment with 51zero

At 51zero, we provide end to end development solutions including web app user interfaces, in this blog we're going to talk about web-app dependency management in a locked down environment. 

We have found than many Financial Service organisations are well geared up for the artifact management associated with server side development, with, for example, internal Nexus repositories configured as an internal Maven Repository mirror of approved software.

However, artifact/package management in web application development is arguably less mature within the industry, and certainly our experience is it's less mature within the Financial Services development teams.

It is not unusual within a corporate environment to require all the dependencies to be controlled and build servers won't have access to Internet, so references to github repositories will fail.  Usual dependencies resolution would be dealt by Nexus Sonatype dependency manager.  But these sprawling dependnencies are hard to manage on a locked down environment. 

This is where the 'locked down dependency' of npm-shrinkwrap comes in handy.
In order to fix all the dependencies version you need to use npm-shrinkwrap.  First, on a local development machine install the npm-shrinkwrap package

npm install -g npm-shrinkwrap

A example of a failing common library would be karma -e.g. version 0.13.15 and all of the older versions relying on as subdependency


npm install 
npm install karma@1.13.15 
would lead to
npm ERR fetch failed

For the sake of the examples below we would reference the nexus domain as follows:


After installing shrinkwrap on your local box:

1. Delete everything from node_modules, remove shrhinkwrap.json file (back it up) if present

2. Run npm install

3. Run npm shrinkwrap --dev - it will generate another npm-shrinkwrap.json file

4. Replace the references to github tars e.g.

  "xmlhttprequest": {
    "version": "1.5.0",
    "from": "",
    "resolved": ""

with your nexus server e.g. 

  "xmlhttprequest": {
    "version": "1.5.0-rase",
    "from": "[LOCAL_NEXUS_DOMAIN]rase-xmlhttprequest/-/rase-xmlhttprequest-1.5.0.tgz",
    "resolved": "[LOCAL_NEXUS_DOMAIN]rase-xmlhttprequest/-/rase-xmlhttprequest-1.5.0.tgz"

Note that the library above is different from the one

so the .tgz must be overwritten with the one found on 

and make sure the version does not exist on xmlhttprequest

For other libraries it would be simply a matter of fixing the library to the one in nexus


5. Replace the remaining with your nexus instance e.g.

 "resolved": ""


 "resolved": "[LOCAL_NEXUS_DOMAIN]request/-/request-2.42.0.tgz"

6.  Commit/ push the resulting shrinkwrap.json file and the build server will read that when npm install is run

In many organisations debate continues regarding open access to libraries and tools, however it continues to be reality that many corporate environment require all the dependencies to be controlled with build servers unable to access the Internet.  We hope you've found this short guide on how we at 51zero work with our clients to use NPM dependency resolution in these controlled environments.

Please let us know your experience in the comments below.  We regularly post so please subscribe to our newsletter, follow us on Twitter or LinkedIn