Npm lock files

Npm lock files



Hello! In the last post, we looked at the npm ecosystem as a source of chaos in our project, and learned how to choose dependencies wisely to minimize our risks. Today we will go ahead and take a look at npm lock files that help improve the stability of a project as we work on it.



When manifesto is not enough



, npm ( package.json) , node_modules, .



node_modules, , , , . , , , . 100 %, , , .



npm , .



, semver, ? , , npm registry , . , , ( ) .



, , npm registry, . npm registry, . , , - ?



, , node_modules , .



, ( semver): , , . . , , , , .



, CI/CD , , . , ID Git ( Git-), ( ). , Git-, ID , . , (pure function): , , . node_modules Git, , npm. , , ( npm registry, npm . .). , npm CI/CD ID .



Lock-



, npm ( ) . : npm install, npm node_modules, package-lock.json. lock- , , URL npm registry, , SHA- . , lock- npm , .



npm install , lock- , lock-. , npm install ( ), node_modules. , lock- , npm , npm. npm , lock- , , , . - .



lock-, . , Git. CI/CD « ».



, , Git- , , . «, » (“it works on my machine”).



it worked on my machine



package-lock.json



Npm lock- , npm registry npm. code review. Diff lock- , , , . , , - . , ( , , ).



package-lock.json , — express.



400 , , .


package-lock.json



{
  "name": "test",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "express": {
      "version": "4.17.1",
      "resolved": "https://registry.npmjs.org/express/-/express-4.17.1.tgz",
      "integrity": "sha512-mHJ9O79RqluphRr…7xlEMXTnYt4g==",
      "requires": {
        "debug": "2.6.9",
        "send": "0.17.1"
      }
    },
    "debug": {
      "version": "2.6.9",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
      "integrity": "sha512-bC7ElrdJaJnPbAP…eAPVMNcKGsHMA==",
      "requires": {
        "ms": "2.0.0"
      }
    },
    "ms": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
      "integrity": "sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g="
    },
    "send": {
      "version": "0.17.1",
      "resolved": "https://registry.npmjs.org/send/-/send-0.17.1.tgz",
      "integrity": "sha512-BsVKsiGcQMFwT8U…cNuE3V4fT9sAg==",
      "requires": {
        "debug": "2.6.9",
        "depd": "~1.1.2",
        "destroy": "~1.0.4",
        "encodeurl": "~1.0.2",
        "escape-html": "~1.0.3",
        "etag": "~1.8.1",
        "fresh": "0.5.2",
        "http-errors": "~1.7.2",
        "mime": "1.6.0",
        "ms": "2.1.1",
        "on-finished": "~2.3.0",
        "range-parser": "~1.2.1",
        "statuses": "~1.5.0"
      },
      "dependencies": {
        "ms": {
          "version": "2.1.1",
          "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.1.tgz",
          "integrity": "sha512-tgp+dl5cGk28utY…YaD/kOWhYQvyg=="
        }
      }
    }
  }
}


, . :



  • name version — , lock-.
  • lockfileVersion — , lock-. , npm - .
  • dependencies — ; , , — .


:



  • version — .
  • resolved — URL npm, .
  • integrity — SHA- ; , , , ( ). npm, , - . npm install .
  • requires — , ( dependencies ). , — semver.
  • dependenciesdependencies, . , , .
  • devtrue, ( ).




, express ( ) debug, , , ms@2.0.0. , send ms, 2.1.1. , node_modules ms ( ), , Node.js, . (ms@2.0.0), — send (ms@2.1.1). lock-. node_modules.



.





lock- , , . , . lock- .



lock- npm



lock-, - merge- Git. ( ), npm install: lock-.



lock- , merge- Git, npm. package-lock.json . , , , npm install.



merge- npm :



npx npm-merge-driver install -g


Git :



npm WARN conflict A git conflict was detected in package-lock.json.
Attempting to auto-resolve. Auto-merging package-lock.json


lock-



lock- - , npm lock-, . , npm install lodash, , npm , lock-. , npm , lock- .



, , , «» () lock-. , : npm install, npm lock-, , lock-, .



CI/CD



, npm lock- , lock- . , , CI/CD, - .



, npm npm ci. npm install, lock-. , lock-, npm ci , , ( Fail-fast). , npm ci node_modules , .



npm install CI/CD, npm ci . ! ( ).





lock- . , : package-lock.json npm registry. , npm (), lock- - . . : , ( ?) . .



Shrinkwrap



npm npm shrinkwrap. npm-shrinkwrap.json , lock-, . , , package-lock.json, npm . , , .



, , . , , Node.js, (, webpack, gulp, create-react-app . .). (npm i -g), shrinkwrap- , , . , , npm shrinkwrap. .



, npm-shrinkwrap.json package-lock.json. .



-



. , , . , ( shrinkwrap, , ).



, , , . , lock- , , ( ). npm update .



, lock- . , . , runtime- dev-. lock-, dev- - , .



, , CI/CD , lock-, . ( ) lock- ( CI/CD ).





lock- , , - . package-lock.json .gitignore npm, lock-. ( ) , . , - , , , . , , , , , .



, , , , .



!



, lock- , , , .



, . , . Diff lock- , . , . , , , , .



, , , . , ( , , ) (diff ).



, , , . : , .





, lock- npm. .



npm.



, , , , . , , .



- , , .




All Articles