Fichiers de verrouillage Npm

salut! Dans le dernier article, nous avons examiné l'écosystème npm comme la source du chaos dans notre projet et avons appris à choisir judicieusement les dépendances pour minimiser nos risques. Aujourd'hui, nous allons examiner les fichiers de verrouillage npm qui peuvent aider à améliorer la stabilité d'un projet au fur et à mesure que nous y travaillons.

Quand le manifeste ne suffit pas

, npm ( package.json) , node_modules, .

node_modules, , , , . , , , . 100 %, , , .

npm , .

, semver, ? , , npm registry , . , , ( ) .

, , npm registry, . npm registry, . , , - ?

, , node_modules , .

, ( semver): , , . . , , , , .

, CI/CD , , . , ID Git ( Git-), ( ). , Git-, ID , . , (pure function): , , . node_modules Git, , npm. , , ( npm registry, npm . .). , npm CI/CD ID .

Lock-

, npm ( ) . : npm install, npm node_modules, package-lock.json. lock- , , URL npm registry, , SHA- . , lock- npm , .

npm install , lock- , lock-. , npm install ( ), node_modules. , lock- , npm , npm. npm , lock- , , , . - .

lock-, . , Git. CI/CD « ».

, , Git- , , . «, » (“it works on my machine”).

cela a fonctionné sur ma machine

package-lock.json

Npm lock- , npm registry npm. code review. Diff lock- , , , . , , - . , ( , , ).

package-lock.json , — express.

400 , , .

package-lock.json

{
  "name": "test",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "express": {
      "version": "4.17.1",
      "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
      "integrity": "sha512-mHJ9O79RqluphRr…7xlEMXTnYt4g==",
      "requires": {
        "debug": "2.6.9",
        "send": "0.17.1"
      }
    },
    "debug": {
      "version": "2.6.9",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
      "integrity": "sha512-bC7ElrdJaJnPbAP…eAPVMNcKGsHMA==",
      "requires": {
        "ms": "2.0.0"
      }
    },
    "ms": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
      "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
    },
    "send": {
      "version": "0.17.1",
      "resolved": "https://registry.npmjs.org/send/-/send-0.17.1.tgz",
      "integrity": "sha512-BsVKsiGcQMFwT8U…cNuE3V4fT9sAg==",
      "requires": {
        "debug": "2.6.9",
        "depd": "~1.1.2",
        "destroy": "~1.0.4",
        "encodeurl": "~1.0.2",
        "escape-html": "~1.0.3",
        "etag": "~1.8.1",
        "fresh": "0.5.2",
        "http-errors": "~1.7.2",
        "mime": "1.6.0",
        "ms": "2.1.1",
        "on-finished": "~2.3.0",
        "range-parser": "~1.2.1",
        "statuses": "~1.5.0"
      },
      "dependencies": {
        "ms": {
          "version": "2.1.1",
          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz",
          "integrity": "sha512-tgp+dl5cGk28utY…YaD/kOWhYQvyg=="
        }
      }
    }
  }
}

, . :

name version — , lock-.
lockfileVersion — , lock-. , npm - .
dependencies — ; , , — .

version — .
resolved — URL npm, .
integrity — SHA- ; , , , ( ). npm, , - . npm install .
requires — , ( dependencies ). , — semver.
dependencies — dependencies, . , , .
dev — true, ( ).

, express ( ) debug, , , ms@2.0.0. , send ms, 2.1.1. , node_modules ms ( ), , Node.js, . (ms@2.0.0), — send (ms@2.1.1). lock-. node_modules.

lock- , , . , . lock- .

lock- npm

lock-, - merge- Git. ( ), npm install: lock-.

lock- , merge- Git, npm. package-lock.json . , , , npm install.

merge- npm :

npx npm-merge-driver install -g

Git :

npm WARN conflict A git conflict was detected in package-lock.json.
Attempting to auto-resolve. Auto-merging package-lock.json

lock-

lock- - , npm lock-, . , npm install lodash, , npm , lock-. , npm , lock- .

, , , «» () lock-. , : npm install, npm lock-, , lock-, .

CI/CD

, npm lock- , lock- . , , CI/CD, - .

, npm npm ci. npm install, lock-. , lock-, npm ci , , ( Fail-fast). , npm ci node_modules , .

npm install CI/CD, npm ci . ! ( ).

lock- . , : package-lock.json npm registry. , npm (), lock- - . . : , ( ?) . .

Shrinkwrap

npm npm shrinkwrap. npm-shrinkwrap.json , lock-, . , , package-lock.json, npm . , , .

, , . , , Node.js, (, webpack, gulp, create-react-app . .). (npm i -g), shrinkwrap- , , . , , npm shrinkwrap. .

, npm-shrinkwrap.json package-lock.json. .

-

. , , . , ( shrinkwrap, , ).

, , , . , lock- , , ( ). npm update .

, lock- . , . , runtime- dev-. lock-, dev- - , .

, , CI/CD , lock-, . ( ) lock- ( CI/CD ).

…

lock- , , - . package-lock.json .gitignore npm, lock-. ( ) , . , - , , , . , , , , , .

, , , , .

!

, lock- , , , .

, . , . Diff lock- , . , . , , , , .

, , , . , ( , , ) (diff ).

, , , . : , .

, lock- npm. .

npm.

, , , , . , , .

- , , .

Fichiers de verrouillage Npm

Quand le manifeste ne suffit pas

Lock-

package-lock.json

package-lock.json

lock- npm

lock-

CI/CD

Shrinkwrap

-

…

!

More articles: