use*_*973 8 dependencies build dependency-management npm pnpm
如果您将 Github 项目连接到 Cloudflare Pages 或 Vercel 等产品,则提交到远程存储库会触发新构建。这些构建将运行适当的安装和构建命令。
我已经几个月没有更新网站了。但是所使用的依赖项发生了重大变化,这让我非常头痛地尝试逐一检查并解决出现的每个问题。
我正在使用pnpm,我是否可以pnpm install查看现有的项目pnpm-lock.yaml,以便最终构建一个与 6 个月前的构建完全相同的项目?
我只想编辑网站上的一些文本,而不必进行所有这些更新。package.json我尝试通过删除实例来“冻结”所有依赖项和开发依赖项的版本^,以匹配我在锁定文件中看到的内容,但这不起作用。
And*_*K11 11
See also Why does "npm install" rewrite package-lock.json?
\nThe semver specification explains how to use semantic versioning though you can probably skip to the npm docs.
\nAs you probably know the numbers are in the form major.minor.patch. If you don\'t mind which patch release you have as long as it is the specified major and minor version you can use the ~ prefix. Similarly, to allow any minor version use ^.
pnpm init\n\npnpm add express\nThe package.json will contain (at time of writing):
"express": `"^4.18.2"`\nA pnpm-lock.yaml is also created:
specifiers:\n express: ^4.18.2\n\ndependencies:\n express: 4.18.2\nexpress -> \'.pnpm/express@4.18.2/node_modules/express\'/\npnpm installGiving it a first run without changing anything produces:
\n$ pnpm install\nLockfile is up to date, resolution step is skipped\nAlready up to date\nDone in 653ms\nNow if I change package.json to be exactly v4.16.0 we shall see an update to pnpm-lock.yaml
specifiers:\n express: 4.16.0\n\ndependencies:\n express: 4.16.0\nAdding the patch wildcard ~4.16.0 and running pnpm install again gives:
specifiers:\n express: ~4.16.0\n\ndependencies:\n express: 4.16.0\nNote that the install version did not change. If I delete the node_modules/ directory and reinstall, still no change.
Ok, now try updating the minor version in package.json to ~4.17.0.
specifiers:\n express: ~4.17.0\n\ndependencies:\n express: 4.17.3\nThis time it did update the dependency and installed the latest patch version but did install the exact major and minor version. If you think about what the ~ means then this is expected.
The specifiers section in the lock file is just what we specify as the dependency in the package.json file. The dependencies section in the lock file should reflect the version that is installed, or will be installed.
If I delete the node_modules/ folder and pnpm install again then we still have 4.17.3.
What confuses a lot of people about pnpm install/npm install is how the lock-file works with the semver specifier:
锁定文件中列为依赖项的已安装版本必须与包文件中指定的版本兼容。
\n如果兼容,则不会进行任何更改。
\n如果不兼容,则将安装最新的兼容版本。
\n也许是因为有时似乎安装了最新版本,而其他时候则不然,行为不清楚。再次声明,只有当 packge 版本和 lockfile 版本不兼容时才会进行更改。锁文件依赖项从来没有~或^ wildcards because only one version is actually installed and that\'s what the lockfile is supposed to track.
--frozen-lockfile in a CI environment的文档pnpm install describe how the install will fail if the lockfile is out of sync or needs updating.
package.json后面改成~4.16.0 and then doing the install:
$ pnpm install --frozen-lockfile\nLockfile is up to date, resolution step is skipped\n\xe2\x80\x89ERR_PNPM_OUTDATED_LOCKFILE\xe2\x80\x89 Cannot install with "frozen-lockfile" because pnpm-lock.yaml is not up to date with package.json\n\nNote that in CI environments this setting is true by default. If you still need to run install in such cases, use "pnpm install --no-frozen-lockfile"\n事实上,即使我准确指定安装的版本4.17.3,因为它与说明符不同~4.17.0,也会出错。和package.jsonpnpm-lock.yaml are out of sync even though the version are compatible.
最后,我将使我们的包与使用第一个命令安装的最新版本兼容pnpm add express。为此,我使用次要版本通配符^4.0.0并使用pnpm install --no-frozen-lockfile.
specifiers:\n express: ^4.0.0\n\ndependencies:\n express: 4.17.3\n当更新说明符以匹配包文件时,版本不会改变;它是兼容的。
\n运行pnpm install --frozen-lockfile将再次起作用,但不会更新已安装的版本。
在正常环境中,锁定文件将确定安装的确切版本,除非它与包文件不兼容,在这种情况下,它将安装包文件指定的最新版本。
\n在 CI 环境中,默认情况下不会更新锁定文件,并且需要与包文件兼容才能进行安装。
\n如果您想要指定的最新版本,pnpm update 请将更新到包文件中给出的最新兼容版本。
我已经测试了这里的所有内容,但它很复杂,而且我在真正的 CI 环境中使用 pnpm 的经验有限。
\n| 归档时间: |
|
| 查看次数: |
37256 次 |
| 最近记录: |