salut! Dans le dernier article, nous avons examiné l'écosystème npm comme la source du chaos dans notre projet et avons appris à choisir judicieusement les dépendances pour minimiser nos risques. Aujourd'hui, nous allons examiner les fichiers de verrouillage npm qui peuvent aider à améliorer la stabilité d'un projet au fur et à mesure que nous y travaillons.
Quand le manifeste ne suffit pas
, npm ( package.json) , node_modules
, .
node_modules
, , , , . , , , . 100 %, , , .
npm , .
, semver, ? , , npm registry , . , , ( ) .
, , npm registry, . npm registry, . , , - ?
, , node_modules
, .
, ( semver): , , . . , , , , .
, CI/CD , , . , ID Git ( Git-), ( ). , Git-, ID , . , (pure function): , , . node_modules
Git, , npm. , , ( npm registry, npm . .). , npm CI/CD ID .
Lock-
, npm ( ) . : npm install
, npm node_modules
, package-lock.json
. lock- , , URL npm registry, , SHA- . , lock- npm , .
npm install
, lock- , lock-. , npm install
( ), node_modules
. , lock- , npm , npm. npm , lock- , , , . - .
lock-, . , Git. CI/CD « ».
, , Git- , , . «, » (“it works on my machine”).
package-lock.json
Npm lock- , npm registry npm. code review. Diff lock- , , , . , , - . , ( , , ).
package-lock.json
, — express
.
400 , , .
package-lock.json
{
"name": "test",
"version": "1.0.0",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"express": {
"version": "4.17.1",
"resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
"integrity": "sha512-mHJ9O79RqluphRr…7xlEMXTnYt4g==",
"requires": {
"debug": "2.6.9",
"send": "0.17.1"
}
},
"debug": {
"version": "2.6.9",
"resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
"integrity": "sha512-bC7ElrdJaJnPbAP…eAPVMNcKGsHMA==",
"requires": {
"ms": "2.0.0"
}
},
"ms": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
"integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
},
"send": {
"version": "0.17.1",
"resolved": "https://registry.npmjs.org/send/-/send-0.17.1.tgz",
"integrity": "sha512-BsVKsiGcQMFwT8U…cNuE3V4fT9sAg==",
"requires": {
"debug": "2.6.9",
"depd": "~1.1.2",
"destroy": "~1.0.4",
"encodeurl": "~1.0.2",
"escape-html": "~1.0.3",
"etag": "~1.8.1",
"fresh": "0.5.2",
"http-errors": "~1.7.2",
"mime": "1.6.0",
"ms": "2.1.1",
"on-finished": "~2.3.0",
"range-parser": "~1.2.1",
"statuses": "~1.5.0"
},
"dependencies": {
"ms": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz",
"integrity": "sha512-tgp+dl5cGk28utY…YaD/kOWhYQvyg=="
}
}
}
}
}
, . :
- name version — , lock-.
- lockfileVersion — , lock-. , npm - .
- dependencies — ; , , — .
:
- version — .
- resolved — URL npm, .
- integrity — SHA- ; , , , ( ). npm, , - .
npm install
. - requires — , (
dependencies
). , — semver. - dependencies —
dependencies
, . , , . - dev —
true
, ( ).
, express
( ) debug
, , , ms@2.0.0
. , send
ms
, 2.1.1. , node_modules ms
( ), , Node.js, . (ms@2.0.0
), — send
(ms@2.1.1
). lock-. node_modules.
.
lock- , , . , . lock- .
lock- npm
lock-, - merge- Git. ( ), npm install
: lock-.
lock- , merge- Git, npm. package-lock.json
. , , , npm install
.
merge- npm :
npx npm-merge-driver install -g
Git :
npm WARN conflict A git conflict was detected in package-lock.json.
Attempting to auto-resolve. Auto-merging package-lock.json
lock-
lock- - , npm lock-, . , npm install lodash
, , npm , lock-. , npm , lock- .
, , , «» () lock-. , : npm install
, npm lock-, , lock-, .
CI/CD
, npm lock- , lock- . , , CI/CD, - .
, npm npm ci. npm install
, lock-. , lock-, npm ci
, , ( Fail-fast). , npm ci
node_modules
, .
npm install
CI/CD, npm ci
. ! ( ).
lock- . , : package-lock.json
npm registry. , npm (), lock- - . . : , ( ?) . .
Shrinkwrap
npm npm shrinkwrap. npm-shrinkwrap.json
, lock-, . , , package-lock.json
, npm . , , .
, , . , , Node.js, (, webpack, gulp, create-react-app . .). (npm i -g
), shrinkwrap- , , . , , npm shrinkwrap
. .
, npm-shrinkwrap.json
package-lock.json
. .
-
. , , . , ( shrinkwrap
, , ).
, , , . , lock- , , ( ). npm update
.
, lock- . , . , runtime- dev-. lock-, dev- - , .
, , CI/CD , lock-, . ( ) lock- ( CI/CD ).
…
lock- , , - . package-lock.json
.gitignore
npm, lock-. ( ) , . , - , , , . , , , , , .
, , , , .
!
, lock- , , , .
, . , . Diff lock- , . , . , , , , .
, , , . , ( , , ) (diff ).
, , , . : , .
, lock- npm. .
, , , , . , , .
- , , .