NPM在我们的依赖项package.json中锁定依赖项版本 [英] NPM Lock down dependency versions in our dependencies package.json
问题描述
因此,我有一个可以引入某些依赖性的应用程序.我已经弄清楚了如何轻松锁定它们,因此我的Package.json看起来像这样:
So I have an application that pulls in some dependencies. I have figured out how to lock those down quite easily and thus my Package.json looks like so:
"webpack": "2.2.1",
太好了!所以webpack被锁定为那个版本,但是我注意到webpacks package.json中有一些东西.他们没有锁定他们的依赖关系:
Great! So webpack is locked to that version, but I have noticed something in webpacks package.json. They don't lockdown their dependencies:
"dependencies": {
"acorn": "^4.0.4",
"acorn-dynamic-import": "^2.0.0",
"ajv": "^4.7.0",
"ajv-keywords": "^1.1.1",
"async": "^2.1.2",
"enhanced-resolve": "^3.0.0",
"interpret": "^1.0.0",
"json-loader": "^0.5.4",
"loader-runner": "^2.3.0",
"loader-utils": "^0.2.16",
"memory-fs": "~0.4.1",
"mkdirp": "~0.5.0",
"node-libs-browser": "^2.0.0",
"source-map": "^0.5.3",
"supports-color": "^3.1.0",
"tapable": "~0.2.5",
"uglify-js": "^2.8.5",
"watchpack": "^1.2.0",
"webpack-sources": "^0.2.0",
"yargs": "^6.0.0"
},
因此,前几天,我们的应用程序在一个容器上旋转并抓住了应有的webpack 2.2.1,但抓住了导致我们的生产应用程序出现问题的最新uglify-js.
So the other day our app spun up on a container and grabbed webpack 2.2.1 like it should have, but grabbed the latest uglify-js which caused issues with our production app.
反正有为我们的依赖项所利用的依赖项强制执行版本吗?
Is there anyway to enforce versions for dependencies that our dependencies are utilizing?
推荐答案
npm shrinkwrap
是我一直在寻找和需要的东西.
npm shrinkwrap
is what I was looking for and needing.
这篇关于NPM在我们的依赖项package.json中锁定依赖项版本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!