yarn.lock 和 npm 的shrinkwrap 有什么区别? [英] What is the difference between yarn.lock and npm's shrinkwrap?

问题描述

最近我尝试用 Yarn 安装我的 Node 包.它工作得很好，而且比 NPM 快得多.Yarn 自动生成 yarn.lock.我们已经有了 NPM 收缩包装(npm-shrinkwrap.json).

Recently I tried installing my Node packages with Yarn. It works great and it's a lot faster than NPM. Yarn automatically generates yarn.lock. We already have NPM shrinkwrap (npm-shrinkwrap.json).

它们之间有什么区别吗?yarn.lock 比 npm-shrinkwrap.json 有什么优势吗?

Is there any difference between them? Does yarn.lock has any advantage over npm-shrinkwrap.json?

推荐答案

yarn.lock 文件与其他包管理器的锁文件非常相似，尤其是 Rust 的 Cargo 包管理器，它有 货物锁.这些锁定文件的想法是代表一组应该始终有效的一致包.

The yarn.lock file is quite similar to other package managers' lock files, especially Rust's Cargo package manager, which has Cargo.lock. The idea of these lock files is to represent a consistent set of packages that should always work.

npm 将依赖范围存储在 package.json 文件中，这意味着当有人安装你的包时，他们可能会得到一组不同的依赖给你，因为你可能正在运行过时的包(尽管它们仍然满足您指定的依赖范围).例如，某人指定了依赖项 "foo": "^1.0.0".他们可能实际上安装了 foo v1.0.1，因为那是他们运行 npm install 时的最新版本，但后来有人安装了您的软件包并获得了依赖项 foo v1.1.0.这可能会意外破坏某些内容，如果您有一个 yarn.lock 文件来保证一致的包解析，则可以避免这种情况.

npm stores dependency ranges in the package.json file, which means that when someone installs your package, they might get a different set of dependencies to you, since you might be running outdated packages (although they still satisfy the dependency range you specified). Take, for example, someone who has specified the dependency "foo": "^1.0.0". They might have actually installed foo v1.0.1, because that was the latest when they ran npm install, but later on, someone installs your package and gets the dependency foo v1.1.0. This might break something unexpectedly, which can be avoided if you have a yarn.lock file which guarantees consistent package resolution.

至于与 npm shrinkwrap 的比较，文档解释得很清楚:

As for comparison with npm shrinkwrap, the documentation explains it very clearly:

它类似于 npm 的 npm-shrinkwrap.json，但它不是有损的，并且可以创建可重现的结果.

It’s similar to npm’s npm-shrinkwrap.json, however it’s not lossy and it creates reproducible results.

文档还建议将 yarn.lock 提交到您的存储库，如果您还没有这样做，那么您可以获得一致和可重现的包解析的好处.这个问题也解释了进一步说明为什么要这样做.

The documentation also advises committing yarn.lock to your repositories, if you're not already doing this, so you can reap the benefits of consistent and reproducible package resolution. This question also explains further why you should do this.

npm shrinkwrap 的有损行为是由于 npm 本身使用的非确定性算法造成的；如另一个答案的评论中所述，npm shrinkwrap > npm install > npm shrinkwrap 不能保证产生与仅收缩包装一次相同的输出，而 Yarn 明确使用一种确定性和可靠的安装算法".

The lossy behaviour of npm shrinkwrap is due to the non-deterministic algorithms used by npm itself; as stated in the comments of another answer, npm shrinkwrap > npm install > npm shrinkwrap is not guaranteed to produce the same output as just shrinkwrapping once, whereas Yarn explicitly uses "an install algorithm that is deterministic and reliable".

这篇关于yarn.lock 和 npm 的shrinkwrap 有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！