1. The origin of demand
Before , stay react There is a problem in the process of project development , For the first time in the same project cnpm install It can also be started when , After a while , hold node_modules Delete , again cnpm install, It is found that the project startup report is wrong . strange , The project code is the same as before , Nothing has changed . Find out why , Found to be package.json The version number of the dependent module of the file is not fixed , Such as
"roadhog": "^2.5.0-beta.4". Here is a ^, It will be installed during installation 2.x.x Latest version , Because the module has been updated during this period , Two times install The version is different , So the project report is wrong .
2. terms of settlement
The first thing I thought of was that I would just write the module to death
"roadhog": "2.5.0-beta.4". But think about it , There will still be problems .npm The most convenient place , Yes, it can help us manage dependencies , Automatic download depends on . It means if we rely on roadhog,roadhog And rely on modules A、B etc. , We installed roadhog when ,npm Will automatically help us install roadhog Dependent modules A、B etc. .
We put roadhog It's locked , But it refers to A The module still uses ^ Bracket writing （ That is, there is no locked version ）, So if A Module updated , There may still be similar problems before . So how to do version control .
So we need to lock the entire dependency tree , Then the application versions compiled before and after will not have the problem of different versions installed twice . This leads to our
package-lock.json file . It comes from Fix the version of the entire dependency tree （ Lock up ）
Quote the official explanation ：
package-lock.json It will be npm change node_modules Directory tree or package.json Automatically generated when , It accurately describes the current project npm The dependency tree of the package , And it will be installed according to package-lock.json To install , The guarantee is the same as a dependency tree , Regardless of whether there is a dependency with a minor version update in the process .
What do you mean ? I'll explain later , Let's first understand how this file is generated ？
Default , When we're in a project npm install When （ If the project has package.json file ）, After installation , It will automatically generate a package-lock.json file （ Location and previous package.json File at the same level ）. The document records package.json Dependent modules , And dependence . And each dependency is marked with version , Get the address and hash value , So that each installation will have the same result . No matter what machine you install it on or when .
When we next npm install When ,npm It is found that if there is package-lock.json file , Will be based on package-lock.json To process and install dependencies based on the contents of the package.json.
Online said npm The version is v5.0.0 Version above , But testing my version is 5. A few （ Forget it. ）, The installation did not generate package-lock.json, So I upgraded the latest version ( What I upgraded was 6.9.0), Find out .
npm -v // see npm edition npm install -g npm // upgrade npm To the latest version npm install -g firstname.lastname@example.org // upgrade npm To the specified version Copy code
If package-lock.json Generated , I update again package.json A module version （ Including manual changes package.json A version number , And then again npm install Or something like that npm install email@example.com To update a module ）,package-lock.json Will be automatically updated to the previously set version , So don't worry package.json Updated ,package-lock.json It's still an old problem .npm v5.1.0 This problem existed before ,npm v5.1.0 There will be no such problem in the future . This synchronization function is used as npm v5.1.0 Part of , This version is in 2017 year 7 month 5 Day online .
If you browse it , You'll find it looks like package.json Dependence , But it's much more complicated .package-lock.json It's a huge list of all your dependencies , It contains an explicit version number , Dependent access address , A hash value used to verify integrity and correctness , And the dependency that the dependency itself needs . Cut a picture and see ：
From the picture , We can see that there are many parameters , For specific parameter explanation, we can refer to Official documents
6.cnpm I won't support it package-lock.json
- Use cnpm install When , It doesn't generate package-lock.json file , Online search ,cnpm Maintainers don't seem to want to support this feature , You can search the details .
- cnpm install When , Even if you have package-lock.json file ,cnpm And they don't recognize , It will still be based on package.json To install . So that's why you used npm Installation produces package-lock.json, People in the back use cnpm To install , It may be inconsistent with the dependency package you installed , This is because cnpm Not subject to package-lock.json influence , Only according to package.json Download .
npm 5.x Since its release to the present 5.6.0 lock The role of has changed many times ,
from npm3.x Updated to npm5, But it was found that
npm i The phenomenon of time is not consistent with the popular science articles on the Internet .
It is mentioned that no matter how it is modified package.json file , repeat npm i,npm Will be based on lock Download the version information described in the file .
There are also references to repetition npm i when ,npm Will ignore lock Information about , according to package.json In the package Semantic versioning Version information download update module （lock It seems useless ）.
Looking up the data, we learned that , since npm 5.0 Since the release ,npm i The rules of have changed three times .
1、npm 5.0.x edition , No matter package.json How to change ,npm i According to lock File download
This issue Complained about the problem , Mingming changed it manually package.json, Why don't you give me an upgrade package ！ And then it leads to 5.1.0 The problem of ...
2、5.1.0 After version npm install Will ignore lock file To download the latest npm
Then someone mentioned this issue why is package-lock being ignored? · Issue #17979 · npm/npm
Complain about this problem , At last it evolved into 5.4.2 Rules after version .
3、5.4.2 After version why is package-lock being ignored? · Issue #17979 · npm/npm
Roughly speaking , If it changes package.json, And package.json and lock Different documents , Then perform
npm i when npm Will be based on package Download the latest package with the version number and semantic meaning in , And update to lock.
If the two are in the same state , Then perform
npm i Will be based on lock download , Don't pay attention to package Is there a new version of the actual package .