时间戳

首页 > 解决方案 > package-lock.json 包含非精确版本

npm - package-lock.json 包含非精确版本

问题描述

根据package-lock.json 的文档

它描述了生成的确切树,以便后续安装能够生成相同的树,而不管中间依赖项更新如何。

我正在查看包含以下版本的 package-lock.json 文件:

"less": "^3.0.4",
"less-loader": "^4.1.0",
"license-webpack-plugin": "^1.3.1",
"lodash": "^4.17.4",
"memory-fs": "^0.4.1

requires依赖项之一的块中。

虽然主项目的子依赖项被“锁定”,因为没有版本歧义,但这些传递依赖项却没有。但是,如果树中的任何依赖项都需要解释,那么 npm 如何“能够生成相同的树,而不管中间依赖项更新如何”?

标签: npmnpm-installpackage-lock.json

解决方案

根据这个线程,在 npm@6 中,package-lock.json 在内部表示依赖版本的方式发生了变化,它记录了最初请求的范围依赖,但仍锁定特定版本。

以前,包锁不记录依赖项最初请求的版本,只记录它在创建时将其解析为哪个版本。

这是示例:package-lock.json

// OLD npm format
// Notice that ajv.requires contains specific version for 'fast-json-stable-stringify'
// also notice that 'fast-json-stable-stringify' entry **mentions for the second time** specific version
{ 
    ...
    "dependencies": {
       ... 
        "ajv": {
                "version": "6.11.0",
                "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.11.0.tgz",
                "integrity": "sha512-nCprB/0syFYy9fVYU1ox1l2KN8S9I+tziH8D4zdZuLT3N6RMlGSGt5FSTpAiHB/Whv8Qs1cWHma1aMKZyaHRKA==",
                "dev": true,
                "requires": {
                    "fast-deep-equal": "3.1.1",
                    "fast-json-stable-stringify": "2.1.0",
                    "json-schema-traverse": "0.4.1",
                    "uri-js": "4.2.2"
                }
        },  
        ... 
        "fast-json-stable-stringify": {
            "version": "2.1.0",
            "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
            "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==",
            "dev": true
        },
        ... 
    }
    ...
}

这是 npm6 方法


// "new" npm format (as of npm@6)
// Notice that ajv.requires is not showing specific versions
// but instead shows same values as package.json contains
// However 'fast-json-stable-stringify' entry contains 
// SPECIFIC version to have reproducible build
 
{ 
    ...
    "dependencies": {
       ... 
        "ajv": {
                "version": "6.11.0",
                "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.11.0.tgz",
                "integrity": "sha512-nCprB/0syFYy9fVYU1ox1l2KN8S9I+tziH8D4zdZuLT3N6RMlGSGt5FSTpAiHB/Whv8Qs1cWHma1aMKZyaHRKA==",
                "dev": true,
                "requires": {
                    "fast-deep-equal": "^3.1.1",
                    "fast-json-stable-stringify": "^2.0.0",
                    "json-schema-traverse": "^0.4.1",
                    "uri-js": "^4.2.2"
                }
        },  
        ... 
        "fast-json-stable-stringify": {
            "version": "2.1.0",
            "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
            "integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==",
            "dev": true
        },
        ... 
    }
    ...
}

推荐阅读