如何使用 Yarn 安装基于锁定文件的软件包? [英] How to install packages based on the lock-file with Yarn?
问题描述
我们使用 Yarn 来安装依赖项.yarn-lock 文件在 repo 中.如果与 php 的 composer 相比,我希望当我运行 yarn install 时,依赖项是基于锁文件安装的,并且锁文件不会改变.
We use Yarn to install dependencies. The yarn-lock file is in the repo. If Compared to composer for php, I would expect that when I run yarn install, that the dependencies are installed based on the lock-file, and the lock file does not change.
使用composer install for php,您可以在任何环境中为每个包安装相同的版本.我不明白为什么纱线不能以类似的方式工作.
With composer install for php, you install always the same version for each package on any environment. I don't see why yarn does not work in a similar way.
我认为使用 yarn install 锁更新太频繁,文件失去意义,因为它实际上不锁定版本.还是我使用了错误的命令?
I think that with yarn install the lock gets updated too often and the file loses its point since it actually does not lock versions. Or am I using the wrong commands?
推荐答案
我认为最好的办法是使用 --frozen-lockfile 带有 yarn install 的标志.
I think your best bet is using the --frozen-lockfile flag with yarn install.
如果您需要可重现的依赖项,这通常是持续集成系统的情况,您应该传递 --frozen-lockfile 标志.
If you need reproducible dependencies, which is usually the case with the continuous integration systems, you should pass --frozen-lockfile flag.
还有
不要生成yarn.lock 锁文件,如果需要更新则失败.
Don’t generate a yarn.lock lockfile and fail if an update is needed.
这样,如果有人试图将更改推送到 package.json,比如说将 react 从 ^16.8.0 升级到 ^16.10.0,不更新 yarn.lock 文件.然后它会在 CI 中出错,如下所示.
This way if someone tries to push changes to package.json, say upgrade react from ^16.8.0 to ^16.10.0, without updating the yarn.lock file. Then it will error out in the CI like below.
> yarn install --frozen-lockfile
error Your lockfile needs to be updated, but yarn was run with `--frozen-lockfile`.
解决您的评论:
To address your comment:
我认为使用 yarn install 锁定更新太频繁,文件失去意义,因为它实际上不锁定版本.还是我使用了错误的命令?
I think that with yarn install the lock gets updated too often and the file loses its point since it actually does not lock versions. Or am I using the wrong commands?
Yarn/npm 只是按照你的要求去做.如果您将 package.json 中的版本设置为 "react": "16.8.0" 它永远不会更新 yarn.lock> 但是当使用任何 npm 范围 时,例如 "react": "^16.8.0"),yarn/npm 将解析为满足你指定范围的最高/最新版本.你拥有所有的力量!
Yarn/npm is just doing what you tell it to. If you set the version in your package.json to "react": "16.8.0" it will never update the yarn.lock but when using any of the npm ranges like the Caret (i.e. "react": "^16.8.0"), yarn/npm will resolve to the highest/newest version that satisfies the range you specified. You have all the power!
我发现了一个小的边缘情况.如果您在 ci 中运行 yarn add,例如仅针对 ci 的依赖项,它将更新锁定文件并安装所有依赖项.例如....
I found a small edge case. If you are running yarn add in your ci, such as for a ci only dependency, it will update the lock file and do an install for all dependencies. For example....
# Add ci dep
yarn add codecov
# Install all deps from yarn.lock
yarn install --frozen-lockfile
这不会像您预期的那样出错.相反,将 --frozen-lockfile 添加到 yarn add 命令中,如下所示...
This will not error like you might expect. Instead, add the --frozen-lockfile to yarn add command like this...
# Add ci dep
yarn add codecov --frozen-lockfile
# Install all deps from yarn.lock
yarn install --frozen-lockfile
这篇关于如何使用 Yarn 安装基于锁定文件的软件包?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
