Node Package Managers · Part 6 — Lockfiles, Determinism & Integrity
How resolution actually picks versions, what an SRI integrity hash guarantees, why Corepack pins the package manager per repo, and how lockfile poisoning attacks work.
Filter/Tag
#lockfile
3 entries
-
-
Node Package Managers · Part 3 — Yarn Classic (v1)
What Yarn v1 fixed about 2016-era npm: deterministic installs, the yarn.lock format, parallel fetching and offline cache — and why it is now frozen in maintenance mode.
-
Node Package Managers · Part 2 — npm in Depth
The default package manager, demystified: package-lock.json anatomy, hoisting and phantom dependencies, npm ci vs npm install, lifecycle scripts, npx, .npmrc and scoped registries.