Skip to content

Manage dependencies in Node.js

Node.js applications on the VIP Platform must use npm to manage their dependencies. Other dependency managers such as yarn are not supported. 

Installing dependencies

Prior to building and running a Node.js application, VIP installs the application’s production dependencies with: 

npm install --production 

This step installs the dependencies listed in the dependencies section of an application’s package.json . It does not install the dependencies listed in the devDependencies section.

Any dependency that is required to build or run an application on a VIP Platform environment—including build tools like Webpack or Sass—should be installed as a production dependency.

Production dependencies are installed and saved using the --save option:

npm install --save webpack 

For development dependencies, use the --save-dev option:

npm install --save-dev eslint

Version management

Both package.json and package-lock.json should be committed to a wpvip GitHub repository. Providing package-lock.json enables every system, including the VIP platform, to install and use the exact same dependency tree.

VIP also supports npm-shrinkwrap.json. If npm-shrinkwrap.json is present, it takes precedence over package-lock.json. Though both files perform similar functions, their differences should be considered carefully before adding npm-shrinkwrap.json to an application.

When developing code locally, check that the dependencies installed locally match those specified by package-lock.json in the current working branch. If there are any discrepancies, or to just eliminate doubt, remove the node_modules directory entirely and reinstall the dependencies.


The node_modules directory should not be committed to a wpvip GitHub repository. To ensure that dependencies are not accidentally committed, the node_modules directory has been added to .gitignore in the vip-go-node-skeleton.

Private dependencies

Using private dependencies is not recommended, and they should not be used to provide application secrets or other configuration values.

If private dependencies are necessary, private npm packages can be used to load them:

  1. Publish the private code as one or more private npm packages and install them as dependencies of the application.
  2. Generate an npm access token that has permission to read the private packages.
  3. Set an environment variable named NPM_TOKEN with the access token as its value. This token will be used by VIP to install the private packages.

Another option—though also not recommended—is to commit the credentials to the application’s GitHub repository, either by committing an .npmrc file or by hardcoding access tokens in package.json.  

Last updated: August 08, 2022