将npm的"package-lock.json"放入其中有什么意义?在版本控制下? [英] What is the point of putting npm's "package-lock.json" under version control?
问题描述
将npm的package-lock.json置于版本控制之下有什么意义?以我的经验,控制此文件源比提高效率引起了更多的麻烦和混乱.
What is the point of putting npm's package-lock.json under version control? In my experience having this file source controlled has caused more trouble and confusion than efficiency gains.
将package-lock.json置于源代码控制之下,每次添加/删除/修改任何节点模块的开发人员需要解决分支之间的冲突时,都会遇到头疼.特别是在复杂/大型应用程序上工作,其中package-lock.json可能长达数万行.即使只是丢掉node_modules并运行新的npm install也会在程序包锁中产生巨大的变化.
Having package-lock.json under source control makes for a major headache every time a developer who added/removed/modified any node modules needs to resolve conflicts between branches. Especially working on a complex/large apps where the package-lock.json can be tens of thousands of lines long. Even just blowing away node_modules and running a fresh npm install can generate drastic changes in the package-lock.
关于包锁还有其他几个问题:
There are several other SO questions about the package-lock:
- Do I commit the package-lock.json file created by npm
- Npm - package-lock.json role
- Why does npm install rewrite package-lock.json?
还有一个GitHub问题,涉及大量关于包锁的讨论:
And a GitHub issue with a ton of conversation about package-lock:
这使我认为仍有很多不确定性需要解决.
Which makes me think there is still widespread uncertainty that needs cleared up.
根据文档
对于任何操作,其中npm修改node_modules树或package.json的任何操作,都会自动生成
package-lock.json.
package-lock.jsonis automatically generated for any operations where npm modifies either the node_modules tree, or package.json.
那么您为什么要将自动生成的文件置于源代码管理之下?
上述GitHub问题详细说明了一些人是如何对package-lock.json感到困惑的,将他们的npm install脚本更改为rm -f package-lock.json && npm install,这也不正确.
The above GitHub issue details how some people, in response to confusion with the package-lock.json, change their npm install script to rm -f package-lock.json && npm install, which also does not feel correct.
package-lock.json似乎正在努力成为节点模块依赖项确切版本的真实来源,但这不是package.json的确切含义吗?解决此文件中的合并冲突的痛苦何时开始得到回报?
It seems like package-lock.json is striving to be the source of truth for the exact version of node module dependencies, but isn't that exactly what the package.json does? When does the excruciating pain of resolving merge conflicts in this file start to pay off?
推荐答案
根据我的经验,将package-lock.json置于版本控制之下是没有意义的.这使得管理大型合并/重新设置成为噩梦.但是,在某些情况下 package-lock可能非常有用.
In my experience, it does not make sense to put package-lock.json under version control. It makes managing large merge/rebases a nightmare. However, there are instances where the package-lock can be very useful.
最近(2017/10/10)moment.js引入了在次要版本更新中破坏更改.意思是如果不附带package-lock.json ,并且在package.json中包含以下内容:
Recently (2017/10/10) moment.js introduced breaking changes in a minor version update. Meaning if one was to ship with no package-lock.json, and had something like this in their package.json:
"moment": "^2.12.0"
2.19.0版中引入的一些重大更改将使您的代码悄无声息地渗入您的代码,而几乎没有任何痕迹.
Some breaking changes introduced in version 2.19.0 would silently infiltrate your code with almost no trace.
这就是为什么在剪切分支以用作发行候选之后,至关重要的是:
This is why after cutting a branch to serve as a release candidate it is crucial to:
- 从.gitignore中删除package-lock.json
- 运行
npm install生成package-lock.json - 测试,质量检查,使用此程序包锁进行部署
- remove package-lock.json from .gitignore
- run
npm installto generate a package-lock.json - test, qa, deploy with this package-lock
这可确保您的npm模块版本将保持锁定状态,并与经过测试的版本保持一致.
This assures your npm module versions will remain locked down on the same versions that were tested.
这篇关于将npm的"package-lock.json"放入其中有什么意义?在版本控制下?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
