npm - 如何实际使用 package-lock.json 进行基于锁定版本的安装? [英] npm - How to actually use package-lock.json for installing based on locked versions?
问题描述
刚刚从 npm 3 更新到 5,以使用此功能.
抱歉,我肯定遗漏了一些非常明显的东西,但是如何让 npm 在安装时尊重 package-lock.json 文件中的固定版本?
假设我有一个 package.json,其中包含一些过时的软件包.执行 npm install 会引入新内容并破坏我的应用程序.
例如,我想要稳定的主要包是 bootstrap - 我想暂时在 bootstrap@4.0.0-alpha.6 阻止它的版本,但是npm install 找到 4.0.0-beta.28.
如果我 npm update 任何包,package-lock.json 都会更新.
让我们进入我的开发目录.
这是我用于 bootstrap 的 package.json 条目:
"bootstrap": "^4.0.0-alpha.6"
这是我在安装的软件包和元数据中看到的:
$ npm list 2>/dev/null |grep 引导程序├─┬ bootstrap@4.0.0-alpha.6├─┬ bootstrap-vue@0.16.1│ ├── bootstrap@4.0.0-alpha.6 去重(env) jluc@py$ grep bootstrap package.json package-lock.jsonpackage.json: "bootstrap": "^4.0.0-alpha.6",package.json: "bootstrap-vue": "^0.16.1",package-lock.json:引导程序":{package-lock.json: "version": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz",package-lock.json: "bootstrap-vue": {package-lock.json: "version": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz",package-lock.json: "bootstrap": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz",看起来不错.锁是bootstrap-4.0.0-alpha.6.
但我如何实际使用package-lock.json?
这是我所做的:
- 创建了一个全新的目录
- 复制到package.json 和package-lock.json
- 运行
npm install.
不好.npm 再次发现 bootstrap beta 和 package-lock.json 没有效果,实际上它是根据 npm install 所做的重写.这与您在 dev 中想要的行为一致,但没有告诉我如何使用锁文件来稳定我的包.
(env) jluc@trynpmlock$ npm list 2>/dev/null |grep 引导程序├── bootstrap@4.0.0-beta.2├─┬ bootstrap-vue@0.16.1│ ├── bootstrap@4.0.0-beta.2 去重(env) jluc@trynpmlock$ grep bootstrap package.json package-lock.jsonpackage.json: "bootstrap": "^4.0.0-alpha.6",package.json: "bootstrap-vue": "^0.16.1",package-lock.json:引导程序":{package-lock.json: "已解决": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-beta.2.tgz",package-lock.json: "bootstrap-vue": {package-lock.json: "已解决": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz",package-lock.json: "bootstrap": "4.0.0-beta.2",如果我删除了 package.json 并且只有一个包含 package-lock.json 的目录,那么
npm install会安装非常少,给我留下了一个被截断的 package-lock.jsonnpm install 有一个
--no-package-lock选项,但这会阻止更新 package-lock.json.
基本上我如何告诉 npm 从 package.json 安装所有东西,但尊重 package-lock.json 中的锁?我是否使用与 npm install 不同的命令?是不是因为 npm install 的 doc 在包安装的上下文中提到了锁,但是当你完整安装 package.json 时锁不适用?
是的,我知道我可以指定 "bootstrap": "4.0.0-alpha.6",减去 ^,手动固定版本.
我的环境:
(env) jluc@py$ npm -v5.5.1您需要使用 npm ci 命令从 package-lock.json 安装.>
请参阅:https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
Just updated from npm 3 to 5, to use this feature.
Sorry, I must be missing something totally obvious, but how do make npm respect the pinned versions in package-lock.json file when installing?
Let's say I have a package.json with a fair bit of outdated packages. Doing an npm install will pull in new stuff and breaks my app.
For example, the main package I want to stabilize is bootstrap - I want to block its version at bootstrap@4.0.0-alpha.6 for now, but npm install finds 4.0.0-beta.28.
If I npm update any package, package-lock.json gets updated.
Let's go to my development directory.
This is my package.json entry for bootstrap:
"bootstrap": "^4.0.0-alpha.6"
And this is what I see for my installed packages and meta data:
$ npm list 2>/dev/null | grep bootstrap
├─┬ bootstrap@4.0.0-alpha.6
├─┬ bootstrap-vue@0.16.1
│ ├── bootstrap@4.0.0-alpha.6 deduped
(env) jluc@py$ grep bootstrap package.json package-lock.json
package.json: "bootstrap": "^4.0.0-alpha.6",
package.json: "bootstrap-vue": "^0.16.1",
package-lock.json: "bootstrap": {
package-lock.json: "version": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz",
package-lock.json: "bootstrap-vue": {
package-lock.json: "version": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz",
package-lock.json: "bootstrap": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz",
Looks good. Lock is bootstrap-4.0.0-alpha.6.
But how I use actually use that package-lock.json?
Here's what I did:
- created a brand new directory
- copied in package.json and package-lock.json
- ran
npm install.
No good. npm again found bootstrap beta and package-lock.json had no effect, in fact it was rewritten from what npm install did. Which is consistent with the behavior you want in dev, but doesn't tell me how I would use the lockfile to stabilize my packages.
(env) jluc@trynpmlock$ npm list 2>/dev/null | grep bootstrap
├── bootstrap@4.0.0-beta.2
├─┬ bootstrap-vue@0.16.1
│ ├── bootstrap@4.0.0-beta.2 deduped
(env) jluc@trynpmlock$ grep bootstrap package.json package-lock.json
package.json: "bootstrap": "^4.0.0-alpha.6",
package.json: "bootstrap-vue": "^0.16.1",
package-lock.json: "bootstrap": {
package-lock.json: "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-beta.2.tgz",
package-lock.json: "bootstrap-vue": {
package-lock.json: "resolved": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz",
package-lock.json: "bootstrap": "4.0.0-beta.2",
If I delete the package.json and only have a directory with package-lock.json, then
npm installinstalls very little and leaves me with a truncated package-lock.jsonnpm install has a
--no-package-lockoption, but that prevents updating the package-lock.json.
Basically how do I tell npm install everything from package.json, but respect locks in package-lock.json? Do I use a different command than npm install? Is it because npm install's doc refers to locks in the context of a package installation, but locks don't apply when you install the package.json in its entirety?
Yes, I know I can specify "bootstrap": "4.0.0-alpha.6", minus the ^, to pin the version manually.
My environment:
(env) jluc@py$ npm -v
5.5.1
You need to use the npm ci command to install from package-lock.json.
See: https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
这篇关于npm - 如何实际使用 package-lock.json 进行基于锁定版本的安装?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
