简体繁体 English

如何在 monorepo 中成功锁定节点模块依赖项？

[英]How can I successfully lock down node module dependencies in a monorepo?

原文 2017-09-29 15:51:07 9 2 node.js/ npm/ yarnpkg/ lerna

I'm working on an open source project which is currently using lerna to help manage a single repository with multiple packages.我正在开发一个开源项目，该项目目前正在使用lerna来帮助管理具有多个包的单个存储库。 So far, so good, except that every now and then something breaks because we don't currently shrinkwrap anything.到目前为止，一切都很好，只是时不时会出现一些问题，因为我们目前没有收缩包装任何东西。 I've been trying to do some monorepo version of shrinkwrapping so that we're not at the mercy of all our dependencies (it's amazing how often everything goes wrong in the middle of a release!) but have hit a bit of a wall and wondered if I'm even on the right track.我一直在尝试做一些 monorepo 版本的收缩包装，这样我们就不会受到所有依赖项的支配（令人惊讶的是，在发布过程中一切都经常出错！）想知道我是否在正确的轨道上。

I was originally hoping to use npm shrinkwrap which I was familiar with from previous projects.我最初希望使用我在以前的项目中熟悉的 npm shrinkwrap。 Unfortunately lerna doesn't appear to support shrinkwrap .不幸的是lerna 似乎不支持 shrinkwrap 。

Plan B was to make use of yarn which, after some initial difficulties, seemed to be going ok after switching to using yarn workspaces- at least I think yarn install --frozen-lockfile was doing what I wanted.计划 B 是使用纱线，经过最初的一些困难，在切换到使用纱线工作区后似乎yarn install --frozen-lockfile至少我认为yarn install --frozen-lockfile正在做我想做的事情。

Unfortunately, other than dependency locking, yarn doesn't seem to be helping- everything worked with npm and lerna, but lerna and yarn workspaces seems to be causing issues resolving modules (even resolving something in the same directory which is baffling).不幸的是，除了依赖关系锁定之外，yarn 似乎并没有帮助——一切都适用于 npm 和 lerna，但 lerna 和 yarn 工作区似乎会导致解决模块的问题（甚至解决同一目录中令人困惑的问题）。

Maybe switching to yarn is overkill anyway so I started wondering if more recent versions of npm and package-lock.json would be a better idea.也许切换到 yarn 无论如何都太过分了，所以我开始想知道更新版本的 npm 和package-lock.json是否是一个更好的主意。 Unfortunately that looks like it would need some work arounds with lerna at which point I'm beginning to wonder how much lerna is really adding.不幸的是，看起来它需要对 lerna进行一些解决，此时我开始想知道 lerna 到底增加了多少。 Maybe dropping lerna would help?也许放弃lerna会有所帮助？

So, tl;dr , does anyone have a good way of locking down module dependencies in a monorepo?那么， tl; dr ，有没有人有一个很好的方法来锁定 monorepo 中的模块依赖关系？

2 个解决方案

I'd suggest simply using exact versioning;我建议简单地使用精确版本控制； so in your package.json files where there are version numbers for dependencies like ^3.4.2 , changing it to 3.4.2 .所以在你的package.json文件中，有像^3.4.2这样的依赖项的版本号，将其更改为3.4.2 。 The ^ (or ~ ) before the number suggest a version range.数字前的^ （或~ ）表示版本范围。 You can get that to happen with the save exact config option : --save-exact flag or by placing save-exact=true in a .npmrc file in the repo.您可以使用保存精确配置选项： --save-exact save-exact=true标志或通过将save-exact=true放在 repo 的.npmrc文件中来实现。 lerna add also supports anexact option . lerna add也支持精确选项。

Hope that helps!希望有帮助！

yarn is a production ready package manager that natively supports monorepos :) yarn是一个生产就绪的包管理器，本机支持 monorepos :)

When using yarn workspaces , there is no need to use lerna as a monorepo manager as well at the same time.使用yarn workspaces ，无需同时使用lerna作为 monorepo 管理器。

You can use other features of lerna if you want, but there is no reason to use lerna for installing monorepos (which are already uses yarn).如果需要，您可以使用 lerna 的其他功能，但没有理由使用 lerna 来安装 monorepos（已经使用了纱线）。

If there is a specific errors when installing/managing monorepo using yarn , please add them to the question.如果在使用yarn安装/管理 monorepo 时出现特定错误，请将它们添加到问题中。

Notes:注意事项：

--frozen-lockfile doesn't do anything in yarn monorepo. --frozen-lockfile lockfile 在 yarn monorepo 中不做任何事情。 yarn has a open issue on that which I think won't resolve soon. yarn有一个悬而未决的问题，我认为这个问题不会很快解决。