npm 5 was released today其中一项新功能包括通过创建 package-lock.json
文件进行确定性安装。
这个文件应该保存在源代码管理中吗?
我假设它类似于 yarn.lock
和 composer.lock
,两者都应该保存在源代码管理中。
最佳答案
是的,package-lock.json
旨在检查到源代码控制中。如果您使用的是 npm 5+,您可能会在命令行上看到此通知:created a lockfile as package-lock.json。你应该提交这个文件。
根据 npm help package-lock.json
:
package-lock.json
is automatically generated for any operations where npm modifies either thenode_modules
tree, orpackage.json
. It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.This file is intended to be committed into source repositories, and serves various purposes:
Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
Provide a facility for users to "time-travel" to previous states of
node_modules
without having to commit the directory itself.To facilitate greater visibility of tree changes through readable source control diffs.
And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
One key detail about
package-lock.json
is that it cannot be published, and it will be ignored if found in any place other than the toplevel package. It shares a format with npm-shrinkwrap.json, which is essentially the same file, but allows publication. This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.If both
package-lock.json
andnpm-shrinkwrap.json
are present in the root of a package,package-lock.json
will be completely ignored.
关于node.js - 我是否提交由 npm 5 创建的 package-lock.json 文件?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44206782/