Angular 和 NPM 依赖项 VS devDependencies [英] Angular and NPM dependencies VS devDependencies

问题描述

在对此事进行大量阅读并遵循这篇非常有用的帖子之后:npm package.json 文件中的依赖项、devDependencies 和 peerDependencies 有什么区别?

after un bunch of reading on this matter and following this very usefull post : What's the difference between dependencies, devDependencies and peerDependencies in npm package.json file?

我知道依赖项应该引用每个运行时库，而 devDependencies 引用每个对开发依赖项有用的东西.

I know that dependencies should reference every runtime libs and devDependencies references every usefull for development dependencies.

但我现在很困惑.对于生产用途，我必须 ng build --production 我的 Angular 应用程序.如果我执行 npm install --production，我什至无法使用 ng build --production 进行编译.我需要 npm install 并安装每个 devDependencies.知道这一点后，我尝试将所有内容都放在 devDependencies 下，然后我做了一个 ng build --prod，生成的 [dist] 文件夹包含了所需的一切，并且可以提供服务作为一个完整的角度应用程序.

But I am now confused. For production usage, I will have to ng build --production my Angular app. If I do npm install --production, I can't even compile with ng build --production. I need to npm install and get every devDependencies installed. Knowing that, I tried to put everything under devDependencies, And then I did a ng build --prod, the resulting [dist] folder has everything needed, and can be served as a full angular app.

所以，第一个问题是:Appart 在运行时库和开发库之间产生纸上"差异，我为什么要使用依赖项?

其他问题:为了避免依赖项依赖项的漏洞，我可以通过将此库放在 package.json 中来强制使用特定版本(只要主要版本相同).但是我想避免将这个库放在依赖项或 devDependencies 中，我应该把这个库放在 peerDependencies 下吗?可选的依赖项?捆绑依赖 ?

Other question: To avoid vulnerabilities on dependencies of dependencies I can force the usage of a specific version by putting this lib in the package.json (as long as the major version is the same). But I would like to avoid putting this lib in the dependencies or devDependencies, should I put this lib under peerDependencies ? optionnalDependencies ? bundledDependencies ?

感谢您对此的任何意见.

Thanks for any inputs on this.

编辑

需要示例 package.json:

Example package.json has been required:

{
  "name": "ANGULAR_PROJECT",
  "version": "X.Y.Z",
  "repository": {
    "type": "git",
    "url": "A_GIT_URL"
  },
  "scripts": {
    "ng": "ng",
    "test": "ng test",
    "e2e": "protractor e2e/conf/protractor.conf.js",
    "e2e:dev": "protractor e2e/conf/protractor-dev.conf.js",
  },
  "private": true,
  "dependencies": {
  },
  "devDependencies": {
    "@angular/pwa": "^0.12.4",
    "@angular/animations": "^8.2.11",
    "@angular/cdk": "^8.2.3",
    "@angular/common": "^8.2.11",
    "@angular/compiler": "^8.2.11",
    "@angular/core": "^8.2.11",
    "@angular/forms": "^8.2.11",
    "@angular/material": "^8.2.3",
    "@angular/material-moment-adapter": "^8.2.3",
    "@angular/platform-browser": "^8.2.11",
    "@angular/platform-browser-dynamic": "^8.2.11",
    "@angular/platform-server": "^8.2.11",
    "@angular/router": "^8.2.11",
    "@angular/service-worker": "^8.2.11",
    "@mat-datetimepicker/core": "^2.0.1",
    "@mat-datetimepicker/moment": "^2.0.1",
    "@ngrx/effects": "8.4.0",
    "@ngrx/router-store": "8.4.0",
    "@ngrx/schematics": "8.4.0",
    "@ngrx/store": "8.4.0",
    "@ngrx/store-devtools": "8.4.0",
    "@swimlane/ngx-charts": "12.0.1",
    "angular-gridster2": "^8.2.0",
    "angular-particle": "^1.0.4",
    "array-flat-polyfill": "^1.0.1",
    "apollo-angular": "^1.8.0",
    "apollo-angular-link-http": "^1.9.0",
    "apollo-cache-inmemory": "^1.6.3",
    "apollo-client": "^2.6.4",
    "apollo-link": "^1.2.13",
    "classlist.js": "^1.1.20150312",
    "core-js": "^2.5.4",
    "graphql": "14.0.0",
    "graphql-tag": "^2.10.1",
    "hammerjs": "^2.0.8",
    "json-server": "^0.14.2",
    "jsonpath": "^1.0.2",
    "moment": "^2.22.2",
    "ngrx-store-freeze": "^0.2.4",
    "ngrx-store-localstorage": "^8.0.0",
    "ngx-cacheable": "^1.2.5",
    "ngx-parallax": "^4.0.0",
    "node-sass": "4.13.1",
    "rxjs": "^6.5.3",
    "web-animations-js": "^2.3.2-pr208",
    "xlsx": "^0.14.2",
    "zone.js": "~0.9.1",
    ----------------------------------------------- REAL DEV DEPENDENCIES UNDER
    "@angular-devkit/build-angular": "^0.803.10",
    "@angular/cli": "^8.3.10",
    "@angular/compiler-cli": "^8.2.11",
    "@angular/language-service": "^8.2.11",
    "@commitlint/cli": "^7.2.1",
    "@types/chai": "^4.2.6",
    "@types/cucumber": "^6.0.0",
    "@types/jasmine": "~3.4.6",
    "@types/jasminewd2": "~2.0.8",
    "@types/node": "~8.9.4",
    "chai": "^4.2.0",
    "codelyzer": "~5.2.0",
    "commitizen": "^4.0.3",
    "conventional-changelog-cli": "^2.0.1",
    "cucumber": "5.1.0",
    "cucumber-html-reporter": "^5.0.2",
    "cz-customizable": "^5.3.0",
    "cz-customizable-ghooks": "^1.5.0",
    "husky": "^4.2.1",
    "jasmine-core": "~3.5.0",
    "jasmine-spec-reporter": "~4.2.1",
    "karma": "~4.4.1",
    "karma-chrome-launcher": "~3.1.0",
    "karma-coverage-istanbul-reporter": "~2.1.0",
    "karma-jasmine": "~2.0.1",
    "karma-jasmine-html-reporter": "^1.4.2",
    "karma-sonarqube-reporter": "^1.2.5",
    "karma-sonarqube-unit-reporter": "^0.0.21",
    "karma-spec-reporter": "0.0.32",
    "lint-staged": "^8.1.0",
    "mkdirp": "^0.5.1",
    "ng-mocks": "^8.1.0",
    "prettier": "^1.15.3",
    "protractor": "5.4.2",
    "protractor-cucumber-framework": "^6.2.0",
    "rxjs-compat": "^6.3.3",
    "ts-comparators": "^1.0.0",
    "ts-mockery": "1.2.0",
    "ts-node": "~7.0.1",
    "tslint": "~5.11.0",
    "tslint-config-prettier": "^1.18.0",
    "tslint-plugin-prettier": "^2.0.1",
    "typescript": "^3.1.6"
  },
  "peerDependencies": {

  }
}

推荐答案

Appart from make an on paper"运行时库和开发库之间的区别，为什么要使用依赖项?

回应:做你想做的事没有区别.但要知道这一点:

Response : It makes no difference do what you want. But know this:

• 知道依赖项是生产依赖项还是开发依赖项是件好事，即使它是纸上谈兵"差异所以尽量准确.
• 要确定最终构建中是否真的使用了依赖项，您可以为此使用特殊的库.我偏爱 https://www.npmjs.com/package/webpack-bundle-analyzer，因为它可以通过搜索字段搜索依赖项
• 如果您需要使用一些带有 --prod 的 npm 命令，这些将只使用依赖项"堆栈在您的 package.json 中.如果此依赖项在devDependencies"中，则 npm ls @angular-devkit/build-angular --json --prod 将不会返回任何结果.但是如果@angular-devkit/build-angular 在dependencies"中，它会返回一个结果

• It's good to know if a dependency is a prod or dev dependency, even if it's an "on paper" difference so try to be accurate.
• To know for sure if a dependency is really used in your final build, you can use special lib for that. I got a preference for https://www.npmjs.com/package/webpack-bundle-analyser, because it enables to search a dependency through a search field
• If you need to use some npm command with --prod, These will just use the "dependencies" stack in your package.json. npm ls @angular-devkit/build-angular --json --prod won't return any result if this dependency is in the "devDependencies". But it will return a result if @angular-devkit/build-angular is in "dependencies"

对于另一个问题:为了避免依赖项的依赖项上的漏洞，我可以通过将此库放在 package.json 中来强制使用特定版本(只要主要版本相同).但我想避免将这个库放在依赖项或 devDependencies 中，我应该把这个库放在 peerDependencies 下吗?可选的依赖项?bundledDependencies ?

响应:最好的方法是使用 npm 工具:npm-force-resolutions，并且不要在任何这些条目下引用这些依赖项

Response : the best way to do that is to use the npm tool : npm-force-resolutions and not to reference these dependencies under any of these entries

有关 npm-force-resolutions 的更多信息:例如:https://stackoverflow.com/a/62956076/2376892

more info on npm-force-resolutions : here for example : https://stackoverflow.com/a/62956076/2376892

这篇关于Angular 和 NPM 依赖项 VS devDependencies的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！