add _hasShrinkwrap to npm package metadata

[morriswinkler]

Currently packages that provide a npm-shinrkwrap.json file that are published to verdaccio will not have the required _hasShrinkwrap matedata field set.

In which case npm install will not honour the shrinkwraped file.

see npm issue : npm/cli#4583

The example I used to test that is:

{
  "name": "overrides-issue",
  "version": "1.0.0",
  "dependencies": {
    "@sap/logging": "6.1.2"
  },
  "overrides": {
    "moment": "2.29.4"
  }
}

from npm/cli#5141

If you run npm install && npm ls moment you get something like:

├─┬ @funding/funding-utils@5.0.0
│ └─┬ bunyan@1.8.15
│   └── moment@2.29.4
└─┬ @sap/logging@6.1.3
  └── moment@2.29.4

While if you install that from the npm registry moment will be pinned by the npm-shrinkwrap.json inside @sap/logging to 2.29.2

├─┬ @funding/funding-utils@5.0.0
│ └─┬ bunyan@1.8.15
│   └── moment@2.29.4
└─┬ @sap/logging@6.1.2
  └── moment@2.29.2 invalid: "2.29.4" from node_modules/@sap/logging

It would probably be good to handle the metadata generation similar to the npm registry.

As a reference the npm metadata documentation:
https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md

[KaiBissell]

Hi,

are there any news on this idea?

I am using verdaccio as proxy and want to use npm shrinkwrap due to current security concerns via dependencies.

Are there any future plans how to handle package metadata ?