This packages modifies package-lock.json to force the installation of specific version of a transitive dependency (dependency of dependency), similar to yarn's selective dependency resolutions, but without having to migrate to yarn.

The use case for this is when there is a security vulnerability and you MUST update a nested dependency otherwise your project would be vulnerable. But this should only be used as a last resource, you should first update your top-level dependencies and file an issue for them to update the vulnerable sub-dependencies (npm ls <vulnerable dependency> can help you with that).

First add a field resolutions with the dependency version you want to fix to your package.json, for example:

Then add npm-force-resolutions to the preinstall script so that it patches the package-lock file before every npm install you run:

Now just run npm install as you would normally do:

To confirm that the right version was installed, use:

If your package-lock changes, you may need to run the steps above again.

To build the project from source you'll need to install clojure. Then you can run: