package-lock.json 的作用是什么? [英] What is the role of the package-lock.json?
问题描述
npm@5 已经发布,它有一个新特性 package-lock.json 文件(在 npm install 之后)这让我很困惑.我想知道,这个文件的作用是什么?
npm@5 has been published, it has a new feature package-lock.json file (after npm install) which confuses me. I want to know, what is the effect of this file?
推荐答案
它存储一个精确的、版本化的依赖树,而不是像 package.json 本身(例如 1.0.*)那样使用带星号的版本控制.这意味着您可以保证其他开发人员或产品发布等的依赖项.它也有锁定树的机制,但通常会在 package.json 更改时重新生成.
It stores an exact, versioned dependency tree rather than using starred versioning like package.json itself (e.g. 1.0.*). This means you can guarantee the dependencies for other developers or prod releases, etc. It also has a mechanism to lock the tree but generally will regenerate if package.json changes.
来自 npm 文档:
package-lock.json 会为任何 npm 修改 node_modules 树或 package.json 的操作自动生成.它描述了生成的确切树,以便后续安装能够生成相同的树,而不管中间依赖项更新如何.
package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.
此文件旨在提交到源代码库中,并用于多种用途:
This file is intended to be committed into source repositories, and serves various purposes:
描述依赖树的单一表示,以便保证团队成员、部署和持续集成安装完全相同的依赖项.
Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
为用户提供时间旅行"的便利到 node_modules 的先前状态,而无需提交目录本身.
Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.
通过可读的源代码控制差异来提高树变化的可见性.
To facilitate greater visibility of tree changes through readable source control diffs.
并通过允许 npm 跳过先前安装的软件包的重复元数据解析来优化安装过程."
And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages."
编辑
回答 jrahhali 下面关于只使用具有确切版本号的 package.json 的问题.请记住,您的 package.json 仅包含您的直接依赖项,而不包含您的依赖项的依赖项(有时称为嵌套依赖项).这意味着使用标准 package.json 您无法控制这些嵌套依赖项的版本,直接引用它们或作为对等依赖项将无济于事,因为您也无法控制直接依赖项为这些嵌套依赖项定义的版本容限.
Edit
To answer jrahhali's question below about just using the package.json with exact version numbers. Bear in mind that your package.json contains only your direct dependencies, not the dependencies of your dependencies (sometimes called nested dependencies). This means with the standard package.json you can't control the versions of those nested dependencies, referencing them directly or as peer dependencies won't help as you also don't control the version tolerance that your direct dependencies define for these nested dependencies.
即使您锁定了直接依赖项的版本,也不能 100% 保证您的完整依赖项树每次都相同.其次,您可能希望允许对直接依赖项进行不间断更改(基于语义版本控制),这使您对嵌套依赖项的控制更少,而且您再次无法保证您的直接依赖项不会在某些时候破坏语义版本控制规则自己.
Even if you lock down the versions of your direct dependencies you cannot 100% guarantee that your full dependency tree will be identical every time. Secondly you might want to allow non-breaking changes (based on semantic versioning) of your direct dependencies which gives you even less control of nested dependencies plus you again can't guarantee that your direct dependencies won't at some point break semantic versioning rules themselves.
所有这些的解决方案是锁定文件,如上所述锁定完整依赖树的版本.这使您可以为其他开发者或发行版保证您的依赖树,同时仍然允许使用标准 package.json 测试新的依赖版本(直接或间接).
The solution to all this is the lock file which as described above locks in the versions of the full dependency tree. This allows you to guarantee your dependency tree for other developers or for releases whilst still allowing testing of new dependency versions (direct or indirect) using your standard package.json.
注意.之前的shrink wrap json 做了几乎相同的事情,但锁定文件对其进行了重命名,以便其功能更加清晰.如果项目中已有收缩包装文件,则将使用该文件而不是任何锁定文件.
NB. The previous shrink wrap json did pretty much the same thing but the lock file renames it so that it's function is clearer. If there's already a shrink wrap file in the project then this will be used instead of any lock file.
这篇关于package-lock.json 的作用是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
