In version 5, npm introduced the
package-lock.json
file.
在版本5中, npm引入了
package-lock.json
檔案。
What’s that? You probably know about the
package.json
file, which is much more common and has been around for much longer.
那是什麼? 您可能知道
package.json
檔案 ,該檔案更常見并且存在時間更長。
The goal of the file is to keep track of the exact version of every package that is installed so that a product is 100% reproducible in the same way even if packages are updated by their maintainers.
該檔案的目标是跟蹤安裝的每個軟體包的确切版本,以便即使軟體包的維護者更新了軟體包,産品也可以以相同的方式100%複制。
This solves a very specific problem that
package.json
left unsolved. In package.json you can set which versions you want to upgrade to (patch or minor), using the semver notation, for example:
這解決了
package.json
尚未解決的非常具體的問題。 在package.json中,您可以使用semver表示法設定要更新到的版本(更新檔程式或次要版本),例如:
- if you write
~0.13.0
0.13.1
0.14.0
is not.
如果你寫
~0.13.0
0.13.1
0.14.0
- if you write
^0.13.0
0.13.1
0.14.0
and so on.
如果你寫
^0.13.0
0.13.1
0.14.0
- if you write
0.13.0
, that is the exact version that will be used, always
如果您編寫
0.13.0
You don’t commit to Git your node_modules folder, which is generally huge, and when you try to replicate the project on another machine by using the
npm install
command, if you specified the
~
syntax and a patch release of a package has been released, that one is going to be installed. Same for
^
and minor releases.
您無需送出給Git您的node_modules檔案夾(該檔案夾通常很大),并且當您嘗試使用
npm install
指令在另一台計算機上複制項目時,如果您指定了
~
文法并且已經釋出了軟體包的修補程式版本,這将要安裝。
^
和次要版本相同。
If you specify exact versions, like0.13.0
in the example, you are not affected by this problem.
如果您指定确切的版本,例如示例中的
,則不會受到此問題的影響。0.13.0
It could be you, or another person trying to initialize the project on the other side of the world by running
npm install
.
可能是您,或者是另一個人嘗試通過運作
npm install
初始化世界另一端的項目。
So your original project and the newly initialized project are actually different. Even if a patch or minor release should not introduce breaking changes, we all know bugs can (and so, they will) slide in.
是以,您的原始項目和新初始化的項目實際上是不同的。 即使更新檔程式或次要發行版不應該引入重大更改,我們都知道錯誤可以(是以,它們也會)潛入。
The
package-lock.json
sets your currently installed version of each package in stone, and
npm
will use those exact versions when running
npm install
.
package-lock.json
将每個軟體包的目前安裝版本設定為stone ,并且
npm
在運作
npm install
時将使用這些确切版本。
This concept is not new, and other programming languages package managers (like Composer in PHP) use a similar system for years.
這個概念并不新鮮,其他程式設計語言包管理器(例如PHP中的Composer)使用類似的系統已有多年了。
The
package-lock.json
file needs to be committed to your Git repository, so it can be fetched by other people, if the project is public or you have collaborators, or if you use Git as a source for deployments.
package-lock.json
檔案需要送出到您的Git存儲庫,是以,如果項目是公共的或您有合作者,或者您将Git用作部署源,則可以由其他人擷取。
The dependencies versions will be updated in the
package-lock.json
file when you run
npm update
.
運作
npm update
時,依賴關系版本将在
package-lock.json
檔案中
npm update
。
一個例子 (An example)
This is an example structure of a
package-lock.json
file we get when we run
npm install cowsay
in an empty folder:
這是在空檔案夾中運作
npm install cowsay
時獲得的
package-lock.json
檔案的示例結構:
{
"requires": true,
"lockfileVersion": 1,
"dependencies": {
"ansi-regex": {
"version": "3.0.0",
"resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.
0.0.tgz",
"integrity": "sha1-7QMXwyIGT3lGbAKWa922Bas32Zg="
},
"cowsay": {
"version": "1.3.1",
"resolved": "https://registry.npmjs.org/cowsay/-/cowsay-1.3.1.tgz"
,
"integrity": "sha512-3PVFe6FePVtPj1HTeLin9v8WyLl+VmM1l1H/5P+BTTDkM
Ajufp+0F9eLjzRnOHzVAYeIYFF5po5NjRrgefnRMQ==",
"requires": {
"get-stdin": "^5.0.1",
"optimist": "~0.6.1",
"string-width": "~2.1.1",
"strip-eof": "^1.0.0"
}
},
"get-stdin": {
"version": "5.0.1",
"resolved": "https://registry.npmjs.org/get-stdin/-/get-stdin-5.0.
1.tgz",
"integrity": "sha1-Ei4WFZHiH/TFJTAwVpPyDmOTo5g="
},
"is-fullwidth-code-point": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/
is-fullwidth-code-point-2.0.0.tgz",
"integrity": "sha1-o7MKXE8ZkYMWeqq5O+764937ZU8="
},
"minimist": {
"version": "0.0.10",
"resolved": "https://registry.npmjs.org/minimist/-/minimist-0.0.10
.tgz",
"integrity": "sha1-3j+YVD2/lggr5IrRoMfNqDYwHc8="
},
"optimist": {
"version": "0.6.1",
"resolved": "https://registry.npmjs.org/optimist/-/optimist-0.6.1.tgz",
"integrity": "sha1-2j6nRob6IaGaERwybpDrFaAZZoY=",
"requires": {
"minimist": "~0.0.1",
"wordwrap": "~0.0.2"
}
},
"string-width": {
"version": "2.1.1",
"resolved": "https://registry.npmjs.org/string-width/-/string-width-2.1.1.tgz",
"integrity": "sha512-nOqH59deCq9SRHlxq1Aw85Jnt4w6KvLKqWVik6oA9ZklXLNIOlqg4F2yrT1MVaTjAqvVwdfeZ7w7aCvJD7ugkw==",
"requires": {
"is-fullwidth-code-point": "^2.0.0",
"strip-ansi": "^4.0.0"
}
},
"strip-ansi": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-4.0.0.tgz",
"integrity": "sha1-qEeQIusaw2iocTibY1JixQXuNo8=",
"requires": {
"ansi-regex": "^3.0.0"
}
},
"strip-eof": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/strip-eof/-/strip-eof-1.0.0.tgz",
"integrity": "sha1-u0P/VZim6wXYm1n80SnJgzE2Br8="
},
"wordwrap": {
"version": "0.0.3",
"resolved": "https://registry.npmjs.org/wordwrap/-/wordwrap-0.0.3.tgz",
"integrity": "sha1-o9XabNXAvAAI03I0u68b7WMFkQc="
}
}
}
We installed
cowsay
, which depends on
我們安裝了
cowsay
,具體取決于
-
get-stdin
get-stdin
-
optimist
optimist
-
string-width
string-width
-
strip-eof
strip-eof
In turn, those packages require other packages, as we can see from the
requires
property that some have:
反過來,這些軟體包還需要其他軟體包,正如我們從
requires
屬性中可以看到的那樣:
-
ansi-regex
ansi-regex
-
is-fullwidth-code-point
is-fullwidth-code-point
-
minimist
minimist
-
wordwrap
wordwrap
-
strip-eof
strip-eof
They are added in alphabetical order into the file, and each one has a
version
field, a
resolved
field that points to the package location, and an
integrity
string that we can use to verify the package.
它們按字母順序添加到檔案中,每個都有一個
version
字段,一個指向包位置的可
resolved
字段以及一個可用于驗證包的
integrity
字元串。
翻譯自: https://flaviocopes.com/package-lock-json/
![Cloud Studio初體驗[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)