Node.js-在本地安装模块时是否需要package.json依赖项?
[英]Node.js - Are package.json dependencies necessary when installing modules locally?
问题描述
I know that doing something like this in package.json : 
我知道在package.json中做这样的事情:
....
...
"dependencies" : {
"some-node-module" : "*"
}
is a bad idea since you're basically telling node to always update this module to its latest version, even though your code might not be able to handle any other version other than the current one for this particular module. 这是个坏主意,因为您基本上是在告诉节点始终将此模块更新为最新版本,即使您的代码可能无法处理该模块的当前版本以外的其他版本。
So I should instead do something like this : 所以我应该做这样的事情:
....
...
"dependencies" : {
"some-node-module" : "3.4.1"
}
Which basically tells node to always use the version of the module that my code was built around. 基本上,这告诉节点始终使用构建代码的模块版本。
Question 题
I have an app which I've first tested locally. 我有一个首先在本地测试过的应用。 The app has now been built, and using the package.json dependencies , npm has installed all of the appropriate node modules locally under my app's root folder (as opposed to globally, in some obscure folder I don't have immediate access to and which is irrelevant to this app - I simply don't like global installations of node modules - I find them to.. "abstract"). 现在已经构建了该应用程序,并使用package.json dependencies , npm已将所有适当的节点模块本地安装在我的应用程序的根文件夹下 (相对于全局而言,在一些我无法立即访问的晦涩文件夹中)与该应用程序无关-我只是不喜欢节点模块的全局安装-我发现它们可以..“抽象”)。
Given that all of the node modules are now installed locally isn't the node modules dependencies part in my package.json now redundant ? 鉴于所有节点模块现在都已本地安装,我的package.json中的节点模块依赖项部分现在是否多余?
I mean, what if something happens and npm is not available or the specific version of a module can't be found? 我的意思是,如果发生什么情况并且npm不可用或者找不到模块的特定版本怎么办?
Isn't it best to be independent of dynamic node module installations and just have everything installed locally the first time without having to use the package.json dependencies ? 最好独立于动态节点模块安装,而不必在第一次使用本地安装所有内容,而不必使用package.json依赖项吗?
1 个解决方案
解决方案1
1 已采纳 2015-08-31 14:12:27
npm install & update npm安装和更新
"you're basically telling node to always update this module to its latest version"
Packages won't be automatically updated. 软件包不会自动更新。 The only time the "*" will be an issue is when you are installing the project for the first time via npm install or when you manually run an update via npm update . 只有当您通过npm install首次安装项目或通过npm update手动运行更新时,才会出现"*"问题。
I personally prefer to pick a specific version of a module rather than use any wildcards, but even then there are some gotchas...which is why npm shrinkwrap exists. 我个人更喜欢选择模块的特定版本,而不是使用任何通配符,但是即使那样,仍然存在一些陷阱……这就是为什么npm shrinkwrap存在的原因。
npm shrinkwrap npm收缩包装
Next gotcha: 下一个陷阱:
basically tells node to always use the version of the module that my code was built around
Sorta true. 挺真实的。 Let's say you use version 1.2.3 of your favorite module and package.json reflects that, but in the module itself is a package.json dependency on another module and that uses "*" ...so when you install, the new internal dependency and the wildcard can wind up breaking the module you thought was 'locked down'. 比方说,您使用的版本1.2.3你最喜欢的模块和package.json反映,但该模块本身就是一个package.json其他模块上的依赖和使用 "*" ......所以,当你安装新的内部依赖关系和通配符可能会破坏您认为被“锁定”的模块。
See the gotcha? 看到陷阱了吗? Hard coding a version controls for the top level versions but does not enforce anything beneath that...and if a module author you depend upon (or a module they depend upon) uses wildcards, you can't be 100% sure things will be copacetic. 硬编码版本可控制顶层版本,但不会在其下强制执行任何操作...如果您依赖的模块作者(或他们依赖的模块)使用通配符,则不能100%确信会COPACETIC。
To strictly enforce a version, you'll want to use npm shrinkwrap . 要严格执行版本,您将需要使用npm收缩包装 。 (The link there to the docs provides more background, which is good to understand if your project uses more than a few very simple modules.) (文档中的链接提供了更多的背景知识,如果您的项目使用了多个非常简单的模块,则可以很好地理解该知识。)
And now...your question. 现在...您的问题。
You say: 你说:
I mean, what if something happens and npm is not available or the specific version of a module can't be found?
Based on the first two parts of this answer, it should now be clear that it doesn't hurt to have the dependencies explicitly listed in the package.json because node isn't checking things every time the app runs. 基于此答案的前两部分,现在应该很清楚,在package.json明确列出依赖项并没有什么坏处,因为node不会在每次应用程序运行时都进行检查。 npm uses package.json when specific actions (install, update, etc) are called but even then, it is a manual trigger. 当调用特定操作(安装,更新等)时, npm使用package.json ,但是即使这样,它还是一个手动触发器。
While situations vary, there are very few that I can imagine where omitting dependencies in package.json is a good idea. 尽管情况有所不同,但我几乎无法想象在package.json中省略依赖项是个好主意。 If you ever wind up having to rebuild the project, you'll be in trouble. 如果您不得不重建项目,那将会有麻烦。 If the project is so good you want to share it, you'll be in trouble. 如果项目太好了,您想共享它,将会遇到麻烦。 Heck, if this is something for work and you want to go on vacation and need to install it on another machine...you'll be in trouble. 哎呀,如果这是一项工作,而您想休假并需要将其安装在另一台计算机上,那将会很麻烦。
So given the fact that after the initial install, dependencies have no negative impact...use --save or add the dependencies to your package.json . 因此,鉴于在初次安装后,依赖项没有负面影响...使用--save或将依赖项添加到package.json 。 Your future self will thank you. 您未来的自我会感谢您。 :) :)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.