yarn/npm5 锁文件和确切的包版本之间的区别? [英] Difference between yarn/npm5 lockfiles and exact package versions?
问题描述
我的简单问题是:为什么我不能在 package.json 中使用精确版本?这与锁定文件有何不同?
My simple question is: why can't I just use exact versions in my package.json? How is this different from a lockfile?
推荐答案
主要区别在于锁文件还锁定嵌套依赖项 - 您的依赖项的所有依赖项,等等.管理和跟踪所有这些更改可能非常困难,而且使用的软件包数量可能呈指数级增长.
The main difference is that lockfiles also lock nested dependencies - all of the dependencies of your dependencies, and so on. Managing and tracking all of those changes can be incredibly difficult, and the number of packages that are used can grow exponentially.
在某些情况下,您无法手动指定应使用包的特定版本 - 考虑在 ~1.0.0 和 foo 处指定 foo 的 2 个库code>~2.0.0 分别.主要版本的差异告诉我们 foo@v1 的 API 与 foo@v2 的 API 不匹配,因此您无法在应用级别覆盖包版本而不会导致冲突和失败.
There are also situations where you cannot manually specify that a particular version of a package should be used - consider 2 libraries that specify foo at ~1.0.0 and ~2.0.0 respectively. The difference in major version tells us that the API of foo@v1 is not going to match the API of foo@v2, so there's no way you could override the package version at your app level without causing conflicts and failures.
最后,您可能想知道为什么要使用 semver?为什么不让所有包手动指定其依赖项的确切版本?"semver 的主要优点之一是它意味着您不必在子依赖项更新时更新树中的每个依赖项.如果我依赖于 foo,而 foo 依赖于 bar,而 bar 只是有一个被修补的严重错误,并且我们对所有内容都使用精确版本,那么在我获得修复之前也必须更新 foo.如果 foo 和 bar 有不同的维护者,或者如果 foo 被放弃,那可能需要一段时间,我可能需要 fork 项目(我在 Java 领域做过不止一次的事情).
Finally, you might wonder "why have semver at all then? Why not just have all packages manually specify the exact version of their dependencies?" One of the main advantages of semver is it means you don't have to update every dependency in the tree whenever a sub-dependency updates. If I rely on foo, and foo relies on bar, and bar just had a critical bug that was patched, and we're using exact versions for everything, then foo must also be updated before I can get the fix. If foo and bar have different maintainers, or if foo is abandoned, that could take a while and I may need to fork the project (something I've done more than once in Java-land).
这对于维护库生态系统非常有用,因为它从根本上减少了依赖树中每个节点所需的维护工作量,从而更容易提取库和模式.我曾经有一个早期的项目,我们正在构建一个使用精确版本的组件库,每当包含共享功能的核心库更新时,我们都必须向 每个 其他包提交一个 PR,以便更新版本,有时还会对依赖于 那些 的组件进行后续 PR.毋庸置疑,我们在几个月后整合了这些包裹.
This is very useful for maintaining ecosystems of libraries because it fundamentally reduces the amount of maintenance work required per-node in the dependency tree, making it easier to extract libraries and patterns. I once had an early project where we were building a component library that used exact versions, and any time the core library containing shared functionality was updated, we had to submit a PR to each of the other packages to update the version, and sometimes followup PRs to components that depended on those. Needless to say, we consolidated the packages after a few months.
希望有帮助!
这篇关于yarn/npm5 锁文件和确切的包版本之间的区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
