How do I force npm dependencies using npm-force-resolutions without using npx?

Question

I need to force a specific package version in a nested dependency. For something like this, npm-force-resolutions works great. A typical solution is to add the script "preinstall": "npx npm-force-resolutions" and "resolutions": {} with a list of package names as keys and versions as values.

For example, if we had a nested dependency of node-fetch at ^1.7.3, but we needed it at ^2.6.1, an extracted package.json script might look like this:

{
  "scripts": {
    "preinstall": "npx npm-force-resolutions"
  },
  "resolutions": {
    "node-fetch": "^2.6.1"
  }
}

The problem I'm facing is that for security reasons in my environment, I don't have access to npx. A solution I tried to come up with was to install npm-force-resolutions as a dev dependency, then add ./node_modules/.bin/npm-force-resolutions as a postinstall script in the package.json file:

{
  "scripts": {
    "postinstall": "./node_modules/.bin/npm-force-resolutions"
  },
  "resolutions": {
    "node-fetch": "^2.6.1"
  }
}

Sadly, after running npm install, the resolutions were not updated (in the above example, node-fetch was still at ^1.7.3). Once npm was finished installing all packages, however, running ./node_modules/.bin/npm-force-resolutions manually does force the resolutions as expected (changing node-fetch above from ^1.7.3 to ^2.6.1).

Is there a way to force resolutions within the install lifecycle but without calling npx? It is important it happens within a single call to npm install due to involvement in continuous integration.

Answer 1

Probably it's not the best solution, but you can try installing that dependency and running it in the preinstall hook instead of running npx:

"preinstall": "npm i npm-force-resolutions && ./node_modules/.bin/npm-force-resolutions",