node.js - 是否提交由npm 5创建的package-lock.json文件？(Do I commit the package-lock.json file created by npm 5?)

Question

npm 5 was released today and one of the new features include deterministic installs with the creation of a package-lock.json file.

(npm 5已于今天发布 ，其中一项新功能包括通过安装package-lock.json文件进行确定性安装。)

Is this file supposed to be kept in source control?

(该文件应该保留在源代码管理中吗？)

I'm assuming it's similar to yarn.lock and composer.lock , both of which are supposed to be kept in source control.

(我假设它类似于yarn.lock和composer.lock ，它们都应该保留在源代码控制中。)

  ask by rink.attendant.6 translate from so

Answer 1

Yes, package-lock.json is intended to be checked into source control.

(是的， package-lock.json用于检查到源代码管理中。)

If you're using npm 5, you may see this on the command line: created a lockfile as package-lock.json. You should commit this file.

(如果您使用的是npm 5，则可能会在命令行上看到此信息： created a lockfile as package-lock.json. You should commit this file.) created a lockfile as package-lock.json. You should commit this file. According to npm help package-lock.json :

(根据npm help package-lock.json ：)

package-lock.json is automatically generated for any operations where npm modifies either the node_modules tree, or package.json .

(对于npm修改node_modules树或package.json任何操作，都会自动生成package-lock.json 。)

It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

(它描述了生成的确切树，因此无论中间依赖项更新如何，后续安装都可以生成相同的树。)

This file is intended to be committed into source repositories , and serves various purposes:

(该文件旨在提交到源存储库中 ，并具有多种用途：)

• Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.

  (描述依赖关系树的单个表示，这样可以确保队友，部署和持续集成安装完全相同的依赖关系。)

• Provide a facility for users to "time-travel" to previous states of node_modules without having to commit the directory itself.

  (为用户提供一种工具，使其可以“时间旅行”到node_modules先前状态，而不必提交目录本身。)

• To facilitate greater visibility of tree changes through readable source control diffs.

  (为了通过可读的源代码控制差异更好地了解树的变化。)

• And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.

  (并允许npm跳过先前安装的软件包的重复元数据解析，从而优化安装过程。)

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package.

(关于package-lock.json一个关键细节是它无法发布，并且如果在顶级软件包之外的任何地方都将被忽略。)

It shares a format with npm-shrinkwrap.json(5), which is essentially the same file, but allows publication.

(它与npm-shrinkwrap.json（5）共享一种格式，该格式本质上是相同的文件，但是可以发布。)

This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.

(除非部署CLI工具或使用发布过程来生产生产软件包，否则不建议这样做。)

If both package-lock.json and npm-shrinkwrap.json are present in the root of a package, package-lock.json will be completely ignored.

(如果package-lock.json和npm-shrinkwrap.json package-lock.json都存在于包的根目录中，则package-lock.json将被完全忽略。)