Luk*_*ant 11 node.js npm package-lock.json
每当我生成程序包锁定文件时,也会出现“ resolved”块,如下所示:
"resolved": "http://devel.npm.registry:4873/lodash/-/lodash-4.17.5.tgz"
这个网址的意义是什么?以后,如果我尝试基于此程序包锁安装依赖项,是否需要使用相同的npm注册表?因为我们将不同的npm注册表用于本地开发和生产构建。因此,当我进行开发时,我使用devel.npm.registry,但是使用CI工具production.npm.registry。根据我的测试,URL无关紧要(我尝试过npm@6.4.1)。但是当前的实现方式很快就会改变,还是有意忽略了URL?我觉得npm的某些先前版本实际上检查了解析的URL。
在这种情况下,文档没有太大帮助。
我在网上找到了有关此问题的一些文章。跟随链接:
npm使用JSON作为锁定文件的格式。好消息是,因为npm@5.0.0会忽略package-lock.json文件上的已解析字段,并且在存在的情况下基本上回退到.npmrc或使用CLI通过--registry参数定义的字段,否则它将使用已解析字段中的定义。
https://medium.com/verdaccio/verdaccio-and-deterministic-lock-files-5339d82d611e
改天,关于#npm5好东西的另一条推文。
现在,npm无法确定用于生成package-lock.json的注册表。
https://twitter.com/maybekatz/status/862834964932435969
The purpose of resolved in package-lock.json is to bypass the dependency resolution step (fetching metadata) when you are missing packages. integrity is to verify that you're getting the same thing. Without the resolved field, uncached installations can break due to metadata changes, and they'll also be significantly slower because we have to do a full metadata fetch before we can actually download anything.
Note that package-lock.json does not allow different packages to be fetched from different registries. Even if you have a package lock with different packages using different resolved fields, all of the packages will always be fetched from whatever your current registry= setting is, in npmrc. resolved fields that do not match the configured registry will go through the (slower) metadata fetching I mentioned above, but will still be fetched only from the current registry.
https://github.com/npm/npm/issues/16849#issuecomment-312442508
| 归档时间: |
|
| 查看次数: |
2107 次 |
| 最近记录: |