NPM is node JS standard package manager, this article will focus on
npmThe mechanism is discussed and compared
How to install a single NPM package
The difference between dependencies and dev dependencies is not obvious in ordinary front-end projects.
In common front-end projects, such as
vueIn the framework, these two mainly specify which dependent packages are actually used in the project code.
Only by installing the two can the program run (because devdependences generally include the running environment dependencies of the program).
nodeThe project is different. You can see the dependency configuration of a node project below.
nodeProject, install only
dependenciesThe project is ready to run (via
NODE_ENV=production npm i）。 And installed
devDependenciesAfter that, it will let the editor
eslintThe detection plug-in starts working, or it can be used
jestConduct unit tests.
This is the real separation of development environment and production environment.
NPM install installs all modules in the dependencies field and devdependencies field of the dependency package by default.
NODE_ When env = production NPM I, only the dependencies module in the dependency package will be installed.
When developing some third packages, we need to pay attention to this and put all the packages on which the project depends
Don’t put some messy bags in, so your bag will become big.
How to use or execute NPM installed packages
eslint, if it is executed globally, a global command will be generated.
However, there are some command packages that I only want to install and use in a project. What should I do.
npxJust, for example
npxFirst, it will look for the installed packages in the project, and then look for the globally installed packages. If they are not found,
npxThe package will be installed before executing the command.
package. JSON and package lock json
Version system and package json
npmFollow semantic version control standards.
- What is a semantic version control standard?
1.5.4Is the version number, where
- 1 is the major version number, which represents incompatible API modifications
- 5 is the minor version number, which represents the downward compatible functional addition
- 4 is the revision number, which represents the downward compatibility problem correction
main.anyMethod, and this method is deleted in the new version, then you should publish it
If a package often releases large versions that are incompatible with the original version, the library should reflect, otherwise it will be cool soon.
main.anyMethod, which has been added in the new version
mainMethod, effect and
main.anySame, then you should publish
mainIt is a new method in the next version.
main.anyMethod, which has been fixed in some scenarios of this method in the new version
bugAnd make sure that the unit test has covered all scenarios, then you should release
1.0.1Version, fix the problem.
If you are not sure to modify this
bugAfter, whether it will cause inconsistent behavior in some scenes, then you should publish it
1.1.0, some of them did not encounter the original scene
bugAnd users who only update the revision number can avoid this problem.
package.jsonHow to configure the version of a third-party package?
- If 〜 0.13.0 is written, only the patch version will be updated: 0.13.1 is OK, but 0.14.0 is not.
- If you write ^ 0.13.0, update the patch version and minor version: 0.13.1, 0.14.0, and so on.
- If 0.13.0 is written, the exact version is always used.
- There are more rules, such as:
||However, it should not be used very often, so I won’t introduce it.
vueTaking scaffolding as an example, the generated project dependencies are as follows:
It can be seen that scaffolding related libraries use the mode of only updating patches; Other packages choose to update the minor version number, so as to introduce some downward compatible latest features or optimization functions.
Therefore, only through
package.jsonIn this case, the original project and the newly initialized project (with great probability) are actually different.
Even if a patch or minor version should not introduce significant changes, it may introduce defects (you can’t be sure what the updates of each third-party package you use do).
Locked version and package lock json
[email protected] After the release, it was launched
package-lock.jsonThe versions of each currently installed package will be solidified. When NPM install is run, NPM will use these exact versions.
vueFor example, in
^2.6.11Version, while in the actual installation process, the
2.6.14Version, and in
package-lock.jsonIn the file, the version is locked in
package-lock.jsonAfter locking the version, leave this file in the
gitIn the warehouse, you can ensure that the dependencies of the original project and the newly initialized project installation are consistent.
If you want to update
package-lockVersion locked in, use
npm updateCommand (this command does not update the major version), which can be followed
semverUnder the premise of standard, update the dependent package, and update
package-lockThe locked version to the latest version (still locked).
package.jsonHow big is the bag?
package-lock.jsonIt not only locks the dependent packages in the project, but also locks the dependencies of the dependent packages in the form of dolls, so the whole file will be very large.
There’s another problem here, and that’s
npm updateThe dependencies of dependent packages will be upgraded. For a project that has been running stably for a long time, the risk is still high. It is recommended to upgrade a specific package（
npm i [email protected]）。
package.jsonThe version update rule of will not take effect and will be read first
package-lock.jsonInstall the package version locked in to ensure that your code base can run smoothly and will not cause problems frequently due to frequent package updates.
If you want to know how many versions of your package are different from the latest package, enter
LatestIt’s the latest version of this package,
WantedThis is the latest minor version of the package under the current major version.
Want to know the actual installed package version
- Stupid way: go
- Be smart: go
package-lock.jsonFind it inside, because the actually installed version has been locked inside.
npm list --depth=0Look at the dependent package version of the whole project.
npm view [package_name] version
In practical use, the commands of 3 and 4 are easy to forget if they are not often used. I used to use the first stupid method, and I will use the second method in the future, which is obviously more convenient.
Yarn and NPM
- Dependent version
In the early days
yarn.lockTo lock the version, which is better than
package.jsonMuch better, and the back
package-lock.json, so there’s not much difference at this point.
- Installation speed
yarnIt feels better than
npmMuch faster because
yarnParallel installation dependency is adopted, and
At present, there is not much difference in the caching mechanism, and the local cache will be read.
- Which one?
At present, in 2021,
yarnThe installation speed is still faster than
npmFast, the difference in other places is not big. It can be basically ignored. You can use any one.
It’s not necessarily good to install too fast. Sometimes, if the installation speed is slow, you can have a cup of tea, a cigarette and have a rest.
yarnYour input will be better than
But judging from the company’s network, many people will use it
Cnpm and NPM
- Cnpm is much faster than NPM
Because the image warehouse of cnpm is in China (Taobao computer room), it is more expensive than
npmOf course, much faster. But now
npmWith the addition of caching mechanism, the speed also keeps up. (except
And there are some dependent packages, which are called internally
npm install, so Still slow.
You can also
npmThe mirror source for is set to
Taobao image, it will be a lot faster.
npm config set registry http://registry.npm.taobao.org
- Cnpm does not have package lock json
This could be a very bad place,
cnpmThere will be no problems during installation
package-lock.jsonAnd even if there are
cnpmIt doesn’t matter, just read
This mechanism may cause the dependent libraries in your code to need to be
package.jsonLock it in, otherwise One day,
cnpmYou might be in trouble.
This estimate is used
cnpmThe biggest hidden danger.
- On the second point, the author’s response
On this point,
cnpmThe author’s response is that he does not support it now and will not consider supporting it in the future.
The author mentioned that if the version is locked, many hidden
bugIt may be difficult to repair and may become a problem
For the dependent version may be inconsistent in multiple environments, the author’s reply is to adjust the whole operation and maintenance release system, such as in multiple environments
cnpmAfter verification, it is released to production. (for the author’s scheme, I don’t think it is reliable, mainly because the cost is not proportional to the income, and not every front end has such a large amount of energy)
The author also said that if there is
bugIf it is not repaired, roll back the version directly to reduce the impact scope of the fault. （…）
Many people do not agree with the author’s point of view that the risk of locking the version will be much smaller.
In fact, there is a hidden danger that the package you use may not follow
SemverSpecification, he may send a patch version, make a major change directly, or there is no unit test at all (especially when you use some unpopular packages).
Even the more famous bags, such as chestnuts and Christmas eggs:
3.9.3、3.10.0 ~ 3.10.9、3.11.0 ~ 3.11.5The version includes a Christmas egg.
On Christmas day, all
ButtonComponents have been added with snowflakes.
If you lock the version at that time, you have a certain probability to avoid this problem.
If you don’t have a locked version, you have a high probability of winning.
- Some dependency packages don’t work
Some dependency packages cannot be installed with cnpm, but can be installed with NPM. This problem is estimated and solved
cnpmThe way packages use soft links is related (not sure).
The mixed use of cnpm and NPM causes the package to hang. It can be determined that
cnpmThe problem of using soft links. So, try not to mix it up.
NPM is the best way to use NPM, which is internal to the company
Private mirror sourceIt is also recommended to make it
npm, after all
cnpmThere are still some hidden dangers.
Pnpm and NPM
Look at many people Amway, the characteristic is fast.
I feel that this fast or not is not an advantage in the usual development process, and it is not bad for this time.
Consider this when installing dependencies in production containers.
npmIt’s also very useful. It’s better to use it
If there is a problem with the installation speed, you can build a private server
npmImage source: store some installed packages on the image source.
One last thing
If you’ve seen here, I hope you’d better give me a like before you go~
Your praise is the greatest encouragement to the author, and can also let more people see this article!
If you think this article is helpful to you, please help ingithubUpper light