Skip to content


Repository files navigation

gulp-shrinkwrap NPM version Build Status

Run npm shrinkwrap from a gulp task against a given package.json file. Also allow locking package.json dependencies to specific versions.


npm install gulp-shrinkwrap --save-dev


See the API documentation for more details.


Given a gulpfile.js

var gulp = require('gulp'),
  shrinkwrap = require('gulp-shrinkwrap');

gulp.task('shrinkwrap', function () {
  return gulp.src('package.json')
    .pipe(shrinkwrap())      // just like running `npm shrinkwrap`
    .pipe(gulp.dest('./'));  // writes newly created `npm-shrinkwrap.json` to the location of your choice

gulp.task('shrinkwrap-dev', function () {
  return gulp.src('package.json')
    .pipe(shrinkwrap({dev: true}))  // just like running `npm shrinkwrap --dev`

When running

$ gulp shrinkwrap

Then a npm-shrinkwrap.json file will generated at the destination of your choice.

Important Notes

  1. Without the call to gulp.dest, a npm-shrinkwrap.json file will not be created.
  2. By default, npm shrinkwrap will be executed at the path where the supplied package.json file resides. If you want it run in a different context you must supply the prefix option.


Given a gulpfile.js

var gulp = require('gulp'),
  shrinkwrap = require('gulp-shrinkwrap');

gulp.task('shrinkwrap', function () {
  return gulp.src('package.json')
    .pipe(shrinkwrap.lock())  // modifies dependencies and devDependencies in package.json to specific versions.pipe(gulp.dest('./'));   // writes newly modified `package.json`

And a package.json

  "name": "my-app",
  "version": "1.0.0",
  "dependencies": {
    "gulp-util": "^3.0.0",
    "nopt": "^3.0.1",
    "npmconf": "~1.1.5",
    "through2": "0.5.1"
  "devDependencies": {
    "gulp": "^3.8.7",
    "mocha": "~1.21.3"

When running

$ gulp shrinkwrap

Then the package.json file will be modified to be this

  "name": "my-app",
  "version": "1.0.0",
  "dependencies": {
    "gulp-util": "3.0.0",
    "nopt": "3.0.1",
    "npmconf": "1.1.5",
    "through2": "0.5.1"
  "devDependencies": {
    "gulp": "3.8.7",
    "mocha": "1.21.3"

All together

// gulpfile.js
var gulp = require('gulp'),
  shrinkwrap = require('gulp-shrinkwrap');

gulp.task('shrinkwrap', function () {
  return gulp.src('./custom/package.json')
    .pipe(shrinkwrap.lock({devDependencies: false}))  // locks dependencies only in `package.json` to specific versions.pipe(gulp.dest('./new-location'))                // writes newly modified `package.json`
    .pipe(shrinkwrap())                               // just like running `npm shrinkwrap`
    .pipe(gulp.dest('./my-custom-dest'));             // writes newly created `npm-shrinkwrap.json` to the location of your choice

Note: if you try to just drop the above code into your project, the call will likely fail. This is because, if you use wildcards, those will be locked to a specific version but the actual versions installed under node_modules will likely be newer. This will cause a failure during npm shrinkwrap. To get around this, lock your package.json first, re-install all dependencies and then shrinkwrap.

Always keep your shrinkwrap up to date

You'll want to update your npm-shrinkwrap.json every time you install a new dependency. An easy way to do this automatically is via a pre-commit git hook

# Run gulp shrinkwrap on every commit so that we always have the most recent
# dependencies checked in.
npm prune > /dev/null
error=$(gulp shrinkwrap)
if [[ $? -ne 0 ]] ; then
  echo "$error"
  exit 1
# If modified adds file(s) and includes them in commit.
git add package.json
git add npm-shrinkwrap.json


MIT © Chris Montgomery