Lock mechanism analysis of NPM

Time:2019-9-9

What is NPM

NPM is a package management tool, open source authors can publish open source packages on the platform for other people to download and use. The front-end students have basically used npm, so there is no introduction here. The main purpose of NPM in daily work is to install dependencies using NPM install according to package. JSON of the project.

NPM install is arguably the most frequently used instruction. Before npm5, NPM install will be installed according to the dependent version specified by package. json. But often a version range is specified in package.json, for example:


"dependencies": {
  "packageA": "^2.0.0"
},

The range specified in ^ 2.0.0 above is that the version number is greater than or equal to 2.0.0 and the large version number is 2. That is, 2.6.10 is consistent, while 3.0.0 and 1.0.0 are not.
Such scope assignment leads to a problem: A creates a new project that generates the package. JSON file above, but A depends on installation earlier. At this time, the latest version of packageA is 2.1.0, which is compatible with the code and has no bugs. Later, B cloned the project of A. When installing dependencies, the latest version of packageA is 2.2.0. According to the semantics npm, it will install version 2.2.0, but the API of version 2.2.0 may be changed, resulting in bugs in the code.

That’s the problem with package. json. Installation of the same package. JSON at different times and environments can produce different results.

In theory, this problem should not arise, because npm, as part of the open source world, also follows a release principle: new versions under the same large version number should be compatible with old versions. That is, API should not change when 2.1.0 is upgraded to 2.2.0.

However, many developers of open source libraries do not strictly adhere to this release principle, which leads to the above problem.

Lock mechanism

The birth of a new thing is to solve a historical problem.

Based on this situation, npm5 introduced lock mechanism. When using the version after NPM 5.0.0, the package-lock.json file is automatically generated after NPM install, which records the dependent version number of the current install.

For example, when package. JSON relies on the following:


"dependencies": {
  "vue": "^2.0.0"
 },

The package-lock.json automatically generated after install specifies the installation of vue2.6.10 (currently up-to-date)


"dependencies": {
  "vue": {
   "version": "2.6.10",
   "resolved": "https://registry.npm.taobao.org/vue/download/vue-2.6.10.tgz",
   "integrity": "sha1-pysaQqTYKnIepDjRtr9V5mGVxjc="
  }
 }

Package-lock.json is equivalent to a snapshot of this install. It records not only the version of direct dependency specified by package.json, but also the version of indirect dependency.

If we want to install the same version of dependencies each time in different environments and at different times, we can bring package-lock.json with us.

When package. JSON and package – lock. JSON coexist, NPM install detects whether the dependency version specified by package – lock. JSON is within the range specified by package. json. If so, install the version specified by package-lock.json. If not, ignore package-lock.json and override package-lock.json with the new version number installed.

For instance:


// package.json
"dependencies": {
  "vue": "^2.0.0"
 }

// package-lock.json
"dependencies": {
  "vue": {
   "version": "2.1.0",
   "resolved": "https://registry.npm.taobao.org/vue/download/vue-2.1.0.tgz",
   "integrity": "sha1-KTuj76rKhGqmvL+sRc+FJMxZfj0="
  }
 }

In this case, package-lock.json specifies 2.1.0 within the range specified by ^ 2.0.0, and NPM install installs vue2.1.0.


// package.json
"dependencies": {
  "vue": "^2.2.0"
 }

// package-lock.json
"dependencies": {
  "vue": {
   "version": "2.1.0",
   "resolved": "https://registry.npm.taobao.org/vue/download/vue-2.1.0.tgz",
   "integrity": "sha1-KTuj76rKhGqmvL+sRc+FJMxZfj0="
  }
 }

In this case, package-lock.json specified 2.1.0 is not within the range specified by ^ 2.2.0, NPM install will install the latest version 2.6.10 according to ^ 2.2.0 rules, and update the version of package-lock.json to 2.6.10.

It is noteworthy that this install logic was not adopted when npm5 was released. The install logic changed several times between npm5.0 and npm5.6, and it has been used since npm5.6.

npm ci

The lock mechanism after npm5 meets the needs of developers who require lock versions. We only need to get a package-lock.json to know the specific version number of the dependencies to be installed. But careful students will find that when the version number specified by package-lock.json is not within the scope specified by package.json, package-lock.json will be updated and overwritten. It’s not good for us to keep the version fixed.

So subsequent NPM also introduced NPM CI instructions to solve this problem. The difference between NPM Ci and NPM I is that when the dependent version specified by package-lock.json is not within the dependent version specified by package.json, NPM will report errors and cancel installation.

In this way, we are not afraid of overwriting updates when package-lock and package.json are inconsistent.

summary

After npm5.6, we can safely use package-lock.json file to lock version, and NPM CI installation command can be used to prevent NPM install from overwriting update problems when building deployment.

The above is the whole content of this article. I hope it will be helpful to everyone’s study, and I hope you will support developpaer more.

Recommended Today

Notes on tensorflow 2 deep learning (I) tensorflow Foundation

This series of notes records the process of learning tensorflow2, mainly based on https://github.com/dragen1860/Deep-Learning-with-TensorFlow-book Learning First of all, it needs to be clear that tensorflow is a scientific computing library for deep learning algorithm, and the internal data is stored in theTensor objectAll operations (OPS) are also based on tensor objects. data type Fundamentals in […]