diff options
author | Mick Thompson <dthompson@gmail.com> | 2014-06-16 21:34:06 +0400 |
---|---|---|
committer | Domenic Denicola <domenic@domenicdenicola.com> | 2014-06-25 02:41:54 +0400 |
commit | ee4d1bad7f700b95defecfe042977c392667f2a4 (patch) | |
tree | a72fc8b080acfcb6b1db2f3d895eabb206450296 | |
parent | 236b581366b3d547e6def9685f4ec9b4331b010e (diff) |
Remove concerns of package republishing from shrinkwrap docs
Republishing packages is no longer possible.
-rw-r--r-- | doc/cli/npm-shrinkwrap.md | 9 |
1 files changed, 0 insertions, 9 deletions
diff --git a/doc/cli/npm-shrinkwrap.md b/doc/cli/npm-shrinkwrap.md index 70f330be8..05637f21d 100644 --- a/doc/cli/npm-shrinkwrap.md +++ b/doc/cli/npm-shrinkwrap.md @@ -163,15 +163,6 @@ shrinkwrap will implicitly be included in A's shrinkwrap. ### Caveats -Shrinkwrap files only lock down package versions, not actual package -contents. While discouraged, a package author can republish an -existing version of a package, causing shrinkwrapped packages using -that version to pick up different code than they were before. If you -want to avoid any risk that a byzantine author replaces a package -you're using with code that breaks your application, you could modify -the shrinkwrap file to use git URL references rather than version -numbers so that npm always fetches all packages from git. - If you wish to lock down the specific bytes included in a package, for example to have 100% confidence in being able to reproduce a deployment or build, then you ought to check your dependencies into |