Specify specific version of package dependency


#1

Is there any way to specify a version for a dependency of a required package? Say foo@1.0.0 depends on bar@^2.0.0. Is there any way to say that we specifically want bar@2.1.0 and not bar@2.2.0 to be installed?

I tried the following, but it didn’t seem to work:

require('bar@2.1.0');
const foo = require('foo@1.0.0')

Thanks for any advice!


#2

That method appears to be working for me. I tried the timestring library at latest version vs 1.0.0 and it gave the different versions.


#3

Hi @vegeta897, thank you for the reply. You’re correct that providing a version for a direct dependency works quite nicely. But I was inquiring about how to specify a version for a dependency of a dependency.

In my first example, imagine that foo pulls in bar. I was wondering how to control the version of bar that gets installed when foo is required. As far as I can tell, it’s not possible, but I’m hoping there is a way.


#4

Hi there!

This is a good question. The short answer is that it’s not currently possible.

RunKit resolves the dependency tree based on the timestamp at which the top level package was required. RunKit will then find all the dependencies which satisfy the semver range, and choose the package with the largest semver that was available at that timestamp. This matches the behavior you would see if you ran npm install that package at that moment.

This is an interesting feature request, so we’ll consider it for the future.

Please let me know if you have any questions, or if I can help in any other way.

– Randy


#5

Thanks for the answer and details Randy!

In my situation, I had an embedded Runkit in a blog post which was demonstrating a bug in library foo because of a bug in its dependency bar. As it turns out, bar later released an update, so now when readers viewed the embedded Runkit, the bug was mysteriously gone, even though I hadn’t updated any code for my blog post!

To be fair though, this is probably a pretty obscure issue to encounter. It’s probably not worth the complexity of addressing my feature request (unless it could be done like the way I attempted in my original post here)!


#6

Ah cool! We actually have a solution for this use case. Embeds have an optional parameter when they’re created: packageTimestamp. If you set that to a time before the package was updated it should work for you.

There’s a bit more documentation for you here: https://runkit.com/docs/embed


#7

Ah, thanks for pointing that out @me1000, that seems like it’d work perfectly for my situation with an embedded Runkit!