I'm working on an open source project which is currently using lerna to help manage a single repository with multiple packages. So far, so good, except that every now and then something breaks because we don't currently shrinkwrap anything. I've been trying to do some monorepo version of shrinkwrapping so that we're not at the mercy of all our dependencies (it's amazing how often everything goes wrong in the middle of a release!) but have hit a bit of a wall and wondered if I'm even on the right track.
I was originally hoping to use npm shrinkwrap which I was familiar with from previous projects. Unfortunately lerna doesn't appear to support shrinkwrap.
Plan B was to make use of yarn which, after some initial difficulties, seemed to be going ok after switching to using yarn workspaces- at least I think yarn install --frozen-lockfile was doing what I wanted.
Unfortunately, other than dependency locking, yarn doesn't seem to be helping- everything worked with npm and lerna, but lerna and yarn workspaces seems to be causing issues resolving modules (even resolving something in the same directory which is baffling).
Maybe switching to yarn is overkill anyway so I started wondering if more recent versions of npm and package-lock.json would be a better idea. Unfortunately that looks like it would need some work arounds with lerna at which point I'm beginning to wonder how much lerna is really adding. Maybe dropping lerna would help?
So, tl;dr, does anyone have a good way of locking down module dependencies in a monorepo?
