为什么“npm install"重写 package-lock.json? [英] Why does "npm install" rewrite package-lock.json?

问题描述

我最近刚刚升级到 npm@5.我现在有一个 package-lock.json 文件，其中包含 package.json 中的所有内容.我希望，当我运行 npm install 时，将从锁定文件中提取依赖项版本以确定应该在我的 node_modules 目录中安装什么.奇怪的是，它实际上最终修改和重写了我的 package-lock.json 文件.

I just recently upgraded to npm@5. I now have a package-lock.json file with everything from package.json. I would expect that, when I run npm install that the dependency versions would be pulled from the lock file to determine what should be installed in my node_modules directory. What's strange is that it actually ends up modifying and rewriting my package-lock.json file.

例如，锁定文件的 typescript 指定为 2.1.6 版本.然后，在 npm install 命令之后，版本更改为 2.4.1.这似乎违背了锁定文件的全部目的.

For example, the lock file had typescript specified to be at version 2.1.6. Then, after the npm install command, the version was changed to 2.4.1. That seems to defeat the whole purpose of a lock file.

我错过了什么?如何让 npm 真正尊重我的锁定文件?

What am I missing? How do I get npm to actually respect my lock file?

推荐答案

更新 3: 正如其他答案所指出的，npm ci 命令已在 npm 中引入5.7.0 作为在 CI 上下文中实现快速和可重复构建的附加方法.请参阅文档和npm 博客 了解更多信息.

Update 3: As other answers point out as well, the npm ci command got introduced in npm 5.7.0 as additional way to achieve fast and reproducible builds in the CI context. See the documentation and npm blog for further information.

更新 2: 更新和澄清文档的问题是 GitHub问题 #18103.

Update 2: The issue to update and clarify the documentation is GitHub issue #18103.

更新 1: 下面描述的行为在 npm 5.4.2 中得到修复:当前预期的行为在 GitHub 问题 #17979.

Update 1: The behaviour that was described below got fixed in npm 5.4.2: the currently intended behaviour is outlined in GitHub issue #17979.

原始答案: package-lock.json 的行为在 npm 5.1.0 如 中所述问题 #16866.您观察到的行为显然是 npm 从 5.1.0 版开始的.

Original answer: The behaviour of package-lock.json was changed in npm 5.1.0 as discussed in issue #16866. The behaviour that you observe is apparently intended by npm as of version 5.1.0.

这意味着只要在 package.json 中找到更新版本的依赖项，package.json 就可以覆盖 package-lock.json.如果你想有效地固定你的依赖项，你现在必须指定不带前缀的版本，例如，你需要将它们写为 1.2.0 而不是 ~1.2.0或 ^1.2.0.然后 package.json 和 package-lock.json 的组合将产生可重现的构建.需要明确的是:package-lock.json 单独不再锁定根级依赖项！

That means that package.json can override package-lock.json whenever a newer version is found for a dependency in package.json. If you want to pin your dependencies effectively, you now must specify the versions without a prefix, e.g., you need to write them as 1.2.0 instead of ~1.2.0 or ^1.2.0. Then the combination of package.json and package-lock.json will yield reproducible builds. To be clear: package-lock.json alone no longer locks the root level dependencies!

这个设计决定是否好是有争议的，由于这种混淆在 GitHub 上的 问题 #17979.(在我看来，这是一个有问题的决定；至少 lock 这个名字不再适用.)

Whether this design decision was good or not is arguable, there is an ongoing discussion resulting from this confusion on GitHub in issue #17979. (In my eyes it is a questionable decision; at least the name lock doesn't hold true any longer.)

另外一个注意事项:对于不支持不可变包的注册表也有限制，例如当您直接从 GitHub 而不是 npmjs.org 拉取包时.请参阅此包锁文档以获取进一步说明.

One more side note: there is also a restriction for registries that don’t support immutable packages, such as when you pull packages directly from GitHub instead of npmjs.org. See this documentation of package locks for further explanation.

这篇关于为什么“npm install"重写 package-lock.json?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！