为什么要安装"npm"?重写package-lock.json? [英] Why does "npm install" rewrite package-lock.json?
问题描述
我最近刚刚升级到 npm @ 5 .我现在有一个 package-lock.json 文件,其中包含 package.json 中的所有内容.我希望当我运行npm install时,将从锁定文件中提取依赖项版本,以确定应该在我的 node_modules 目录中安装什么.奇怪的是,它实际上最终修改并重写了我的 package-lock.json 文件.
I just recently upgraded to npm@5. I now have a package-lock.json file with everything from package.json. I would expect that, when I run npm install that the dependency versions would be pulled from the lock file to determine what should be installed in my node_modules directory. What's strange is that it actually ends up modifying and rewriting my package-lock.json file.
例如,锁定文件已将打字稿指定为版本 2.1.6 .然后,在npm install命令之后,版本更改为 2.4.1 .这似乎破坏了锁定文件的全部目的.
For example, the lock file had typescript specified to be at version 2.1.6. Then, after the npm install command, the version was changed to 2.4.1. That seems to defeat the whole purpose of a lock file.
我想念什么?如何让npm真正尊重我的锁定文件?
What am I missing? How do I get npm to actually respect my lock file?
推荐答案
更新3:其他答案也指出,npm 5.7.0中引入了npm ci命令,这是另外一种方法在CI环境中实现快速且可复制的构建.请参见文档和
Update 3: As other answers point out as well, the npm ci command got introduced in npm 5.7.0 as additional way to achieve fast and reproducible builds in the CI context. See the documentation and npm blog for further information.
更新2::要更新和澄清文档的问题是 GitHub问题#18103 .
Update 2: The issue to update and clarify the documentation is GitHub issue #18103.
更新1:以下描述的行为已在npm 5.4.2中修复:当前预期的行为已在
Update 1: The behaviour that was described below got fixed in npm 5.4.2: the currently intended behaviour is outlined in GitHub issue #17979.
原始答案: package-lock.json的行为已在 issue#16866 中所述.从5.1.0版开始,npm显然已观察到您所观察到的行为.
Original answer: The behaviour of package-lock.json was changed in npm 5.1.0 as discussed in issue #16866. The behaviour that you observe is apparently intended by npm as of version 5.1.0.
这意味着,只要在package.json中找到依赖项的较新版本,package.json就可以覆盖package-lock.json.如果要有效固定依赖项,则现在必须指定不带前缀的版本,例如,您需要将它们写为1.2.0而不是~1.2.0或^1.2.0.然后,package.json和package-lock.json的组合将产生可复制的构建.需要明确的是:单独package-lock.json不再锁定根级别依赖项!
That means that package.json can override package-lock.json whenever a newer version is found for a dependency in package.json. If you want to pin your dependencies effectively, you now must specify the versions without a prefix, e.g., you need to write them as 1.2.0 instead of ~1.2.0 or ^1.2.0. Then the combination of package.json and package-lock.json will yield reproducible builds. To be clear: package-lock.json alone no longer locks the root level dependencies!
Whether this design decision was good or not is arguable, there is an ongoing discussion resulting from this confusion on GitHub in issue #17979. (In my eyes it is a questionable decision; at least the name lock doesn't hold true any longer.)
还有一个注意事项:对于不支持不可变软件包的注册表也有一个限制,例如当您直接从GitHub而不是npmjs.org提取软件包时.有关详细说明,请参见此包锁文档.
One more side note: there is also a restriction for registries that don’t support immutable packages, such as when you pull packages directly from GitHub instead of npmjs.org. See this documentation of package locks for further explanation.
这篇关于为什么要安装"npm"?重写package-lock.json?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
