What is npm
npm is a package management tool, open source release of the open source packages can download other people use the platform for reference. The basic front-end students have used npm, here is not to do too much introduction. Daily work npm main purpose is to use npm install according to package.json project to install dependencies.
npm install arguably one of our most frequently used commands. Before npm5 version, npm install will be installed according to the specified package.json dependent on the version. But often package.json is specified in a range of versions, for example:
"dependencies": {
"packageA": "^2.0.0"
},
复制代码^ 2.0.0 The above specified range is not less than the version number and major version number 2.0.0 2. That this is in line with the 2.6.10, 3.0.0 and 1.0.0 and this is not compliant.
Such a specified range can cause a problem: A new a project to generate the above package.json this document, but A time-dependent installation earlier, when the latest version is 2.1.0 packageA, this version is compatible with the code no bug appear. Later B cloned item A, the latest version of packageA at installation is dependent on 2.2.0, then to install version 2.2.0 of semantic npm will, but the 2.2.0 version of the API changes may have occurred, resulting code appears bug .
That is the problem package.json will bring, with a package.json installation will produce different results at different times and circumstances.
In theory this problem should not arise, because npm as part of the open source world, also follows a principle of release: under the new version of the same major version number should be compatible with older versions. That upgrade 2.1.0 to 2.2.0 when API should not change.
But a lot of open source libraries developers are not strictly abide by the principle of release, leading to the above question.
lock mechanism
A new birth of things is to solve a historical problem
Based on this situation, npm5 launched a lock mechanism. When using later versions of npm5.0.0, after npm install will automatically generate a package-lock.json file, which records the number of the current version of this dependence install installed.
For example when dependent package.json follows:
"dependencies": {
"vue": "^2.0.0"
},
复制代码After install automatically generated package-lock.json specifies the installation vue2.6.10 version (current date)
"dependencies": {
"vue": {
"version": "2.6.10",
"resolved": "https://registry.npm.taobao.org/vue/download/vue-2.6.10.tgz",
"integrity": "sha1-pysaQqTYKnIepDjRtr9V5mGVxjc="
}
}
复制代码package-lock.json the equivalent of a snapshot of this install, it not only records the package.json specified directly dependent on the version, also recorded indirectly dependent on the version.
If we want to install the same version of each depend upon install at different times and under different circumstances, we can put the package-lock.json belt.
When package.json and package-lock.json exist, npm install the detector will go to the specified package-lock.json version is specified in the dependent package.json range. If, package-lock.json specified version is installed. If not, then ignore package-lock.json, and covers package-lock.json with the new version installed.
for example:
// package.json
"dependencies": {
"vue": "^2.0.0"
}
// package-lock.json
"dependencies": {
"vue": {
"version": "2.1.0",
"resolved": "https://registry.npm.taobao.org/vue/download/vue-2.1.0.tgz",
"integrity": "sha1-KTuj76rKhGqmvL+sRc+FJMxZfj0="
}
}
复制代码package-lock.json specified in 2.1.0 2.0.0 ^ specified range, npm install version installed vue2.1.0 this case.
// package.json
"dependencies": {
"vue": "^2.2.0"
}
// package-lock.json
"dependencies": {
"vue": {
"version": "2.1.0",
"resolved": "https://registry.npm.taobao.org/vue/download/vue-2.1.0.tgz",
"integrity": "sha1-KTuj76rKhGqmvL+sRc+FJMxZfj0="
}
}
复制代码package-lock.json not specified 2.1.0 2.2.0 ^ within the specified range, npm install will follow the rules ^ 2.2.0 to install the latest version 2.6.10 this case, and package-lock.json updated to version 2.6.10.
It is worth noting that not take this logic npm5 install a release, between npm5.0 to npm5.6 install a logical change has occurred many times, and after the current npm5.6 has been used this logic.
above sea level you
After the lock mechanism to meet the requirements of npm5 lock version of the developers need, we just need to get a package-lock.json can know the specific version number of the dependent to be installed. But careful students will find that when the inner package-lock.json specified version number is not package.json specified range, package-lock.json will be updated coverage. This may help us to maintain a fixed version.
Also introduced so that subsequent npm npm CI instructions to solve this problem, except npm npm CI and I is that: when the package-lock.json package.json not specified version-dependent version dependencies specified range, npm I will complain and cancel the installation.
So we are not afraid to update covering occur inconsistent in package-lock and package.json.
to sum up
After npm5.6 we can safely use package-lock.json file to lock version, and can be used when building the deployment npm ci installation command to prevent coverage problems npm install the update.
Written in the last
Personally, I opened a public number "front-end handling unskilled laborer," I will push good front end featured articles on a regular basis, refuse entry article no brain-based, front-end gives you a different perspective.
Reproduced in: https: //juejin.im/post/5d07942ef265da1bc41453df