分享程序员开发的那些事...
更新时间:2021-06-30 22:50:39
正如 涵盖 其他地方,依赖锁文件,许多包管理系统都支持这些文件(例如:作曲家和bundler),应该在 end-of-链项目 - 以便每个尝试运行该项目的人都使用 完全经过测试的依赖项集.
As is covered elsewhere, dependency lock files, which are supported by many package management systems (e.g.: composer and bundler), should be committed to the codebase in end-of-chain projects - so that each individual trying to run that project is doing so with exactly the tested set of dependencies.
是否应该始终将锁定文件提交到旨在包含在其他项目中的包中(其中需要更松散的依赖关系),这一点不太清楚.但是,Yarn 和 NPM(如 @Cyrille) 在必要时分别智能地忽略 yarn.lock 和 package-lock.json,确保始终提交这些锁文件是安全的.
It's less clear whether lock files should always be committed into packages that are intended to be included in other projects (where looser dependencies are desirable). However, both Yarn and NPM (as covered by @Cyrille) intelligently ignore yarn.lock and package-lock.json respectively where necessary, making it safe to always commit these lockfiles.
因此,您应该始终至少提交 yarn.lock 或 package-lock.json 之一,具体取决于您是哪个包管理器使用.
So you should always commit at least one of yarn.lock or package-lock.json depending on which package manager you're using.
目前我们有两个不同的包管理系统,它们都从 package.json 安装相同的一组依赖项,但是它们从两个不同的锁文件中生成和读取.NPM 5 生成 package-lock.json,而 Yarn 生成 yarn.lock.
At present we have two different package management systems, which both install the same set of dependencies from package.json, but which generate and read from two different lockfiles. NPM 5 generates package-lock.json, whereas Yarn generates yarn.lock.
如果你提交 package-lock.json,那么你就是在支持人们使用 NPM 5 安装你的依赖项.如果你提交 yarn.lock,你'重新构建以支持人们使用 Yarn 安装依赖项.
If you commit package-lock.json then you're building in support for people installing your dependencies with NPM 5. If you commit yarn.lock, you're building in support for people installing dependencies with Yarn.
你是选择提交 yarn.lock 还是 package-lock.json 或者两者都提交取决于那些在你的项目上开发的人是只使用 Yarn 还是 NPM 5 或两者兼而有之.如果您的项目是开源的,那么对社区最友好的做法可能是同时提交两者并拥有一个自动化流程来确保 yarn.lock 和 package-lock.json 始终保持同步.
Whether you choose to commit yarn.lock or package-lock.json or both depends on whether those developing on your project are only using Yarn or NPM 5 or both. If your project is open-source, the most community-friendly thing to do would probably be to commit both and have an automated process to ensure yarn.lock and package-lock.json always stay in sync.
更新: Yarn 现已推出 一个 import 命令,它将从 package-lock.json 文件生成 yarn.lock 文件.这对于保持两个文件同步很有用.(感谢@weakish)
Update: Yarn have now introduced an import command which will generate a yarn.lock file from a package-lock.json file. This could be useful for keeping the two files in sync. (Thanks @weakish)
在 Yarn 项目中详细讨论了这个问题:
This issues was discussed at length on the Yarn project in:
现在两个都关门了.