Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
510 views
in Technique[技术] by (71.8m points)

npm - How to actually use package-lock.json for installing based on locked versions?

Just updated from npm 3 to 5, to use this feature.

Sorry, I must be missing something totally obvious, but how do make npm respect the pinned versions in package-lock.json file when installing?

Let's say I have a package.json with a fair bit of outdated packages. Doing an npm install will pull in new stuff and breaks my app.

For example, the main package I want to stabilize is bootstrap - I want to block its version at bootstrap@4.0.0-alpha.6 for now, but npm install finds 4.0.0-beta.28.

If I npm update any package, package-lock.json gets updated.

Let's go to my development directory.

This is my package.json entry for bootstrap:

"bootstrap": "^4.0.0-alpha.6"

And this is what I see for my installed packages and meta data:

$ npm list 2>/dev/null | grep bootstrap
├─┬ bootstrap@4.0.0-alpha.6
├─┬ bootstrap-vue@0.16.1
│ ├── bootstrap@4.0.0-alpha.6 deduped


(env) jluc@py$ grep bootstrap package.json package-lock.json
package.json:    "bootstrap": "^4.0.0-alpha.6",
package.json:    "bootstrap-vue": "^0.16.1",
package-lock.json:    "bootstrap": {
package-lock.json:      "version": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz",
package-lock.json:    "bootstrap-vue": {
package-lock.json:      "version": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz",
package-lock.json:        "bootstrap": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz",

Looks good. Lock is bootstrap-4.0.0-alpha.6.

But how I use actually use that package-lock.json?

Here's what I did:

  • created a brand new directory
  • copied in package.json and package-lock.json
  • ran npm install.

No good. npm again found bootstrap beta and package-lock.json had no effect, in fact it was rewritten from what npm install did. Which is consistent with the behavior you want in dev, but doesn't tell me how I would use the lockfile to stabilize my packages.

(env) jluc@trynpmlock$ npm list 2>/dev/null | grep bootstrap
├── bootstrap@4.0.0-beta.2
├─┬ bootstrap-vue@0.16.1
│ ├── bootstrap@4.0.0-beta.2 deduped

(env) jluc@trynpmlock$ grep bootstrap package.json package-lock.json
package.json:    "bootstrap": "^4.0.0-alpha.6",
package.json:    "bootstrap-vue": "^0.16.1",
package-lock.json:    "bootstrap": {
package-lock.json:      "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-beta.2.tgz",
package-lock.json:    "bootstrap-vue": {
package-lock.json:      "resolved": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz",
package-lock.json:        "bootstrap": "4.0.0-beta.2",
  • If I delete the package.json and only have a directory with package-lock.json, then npm install installs very little and leaves me with a truncated package-lock.json

  • npm install has a --no-package-lock option, but that prevents updating the package-lock.json.

Basically how do I tell npm install everything from package.json, but respect locks in package-lock.json? Do I use a different command than npm install? Is it because npm install's doc refers to locks in the context of a package installation, but locks don't apply when you install the package.json in its entirety?

Yes, I know I can specify "bootstrap": "4.0.0-alpha.6", minus the ^, to pin the version manually.

My environment:

(env) jluc@py$ npm -v
5.5.1
question from:https://stackoverflow.com/questions/47480617/npm-how-to-actually-use-package-lock-json-for-installing-based-on-locked-versi

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

Please log in or register to reply this article.

OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...