[英]How to lock down npm dependencies in a cloud function
Is there any way to control what version of dependencies (and transient dependencies) are installed when deploying a cloud function?有没有办法控制部署云功能时安装的依赖项(和瞬态依赖项)的版本?
Since the cloud function runtime uses node v6.11.5
, I assume it is using npm v3.10.10
distributed with that version of node.由于云函数运行时使用节点
v6.11.5
,我假设它使用的是与该节点版本v3.10.10
分发的 npm v3.10.10
。 This version of npm does not support package.lock
(added in npm v5.0.0
).此版本的 npm 不支持
package.lock
(在npm v5.0.0
添加)。
I set all versions to fixed versions (removing the ^
) in my package.json
and added save-exact=true
to my .npmrc
file, but this will only control direct dependencies.我在
package.json
中将所有版本设置为固定版本(删除^
)并将save-exact=true
添加到我的.npmrc
文件中,但这只会控制直接依赖项。 Transient dependencies are not locked in this manner.瞬态依赖不会以这种方式锁定。
Is there any way to control all installed dependency versions in cloud functions?有没有办法控制云功能中所有已安装的依赖版本? Is npm
shrinkwrap.json
honored? npm
shrinkwrap.json
受到尊重吗?
I posted a question in the Cloud Functions Beta Testers group and they confirmed that the npm-shrinkwrap.json
is not honored when deploying to Cloud Functions.我在Cloud Functions Beta Testers组中发布了一个问题,他们确认在部署到 Cloud Functions 时不支持
npm-shrinkwrap.json
。
Response from the Product Manager:产品经理的回复:
Currently, we don't support the npm-shrinkwrap.json file.
目前,我们不支持 npm-shrinkwrap.json 文件。 We're looking at making some improvements to dependency management as we think about our runtime strategy, and this is a suggestion that we'll definitely consider.
在考虑运行时策略时,我们正在考虑对依赖项管理进行一些改进,这是我们肯定会考虑的建议。
As they recommended, I created an issue on their public issue tracker.按照他们的建议,我在他们的公共问题跟踪器上创建了一个问题。 Add your support to that issue (by starring it) if this is something you want too!
如果这也是您想要的,请添加您对该问题的支持(通过给它加星标)!
As a senior node.js developer, having a means to have reproducible installations is essential to delivering production worthy code.作为高级 node.js 开发人员,拥有可重复安装的方法对于交付有价值的生产代码至关重要。
npm-shrinkwrap.json
and package-lock.json
behave differently only from the point of view of an NPM package author/mantainer npm-shrinkwrap.json
package-lock.json
和package-lock.json
NPM 包作者/维护者的角度来看表现不同
package-lock.json
won't be published to the NPM registry (but it will stay with the source code) and guarantee that any author/mantainer of the project will get the same dependencies . package-lock.json
不会发布到 NPM注册表(但它会保留在源代码中)并保证项目的任何作者/管理员都将获得相同的依赖项。
npm-shrinkwrap.json
is instead meant to be published to the NPM registry and guarantee that not only authors/mantainers but also the users who install the package get the same dependencies . npm-shrinkwrap.json
旨在发布到 NPM注册表并保证不仅作者/管理员而且安装包的用户都获得相同的依赖项。
Since your project is not related with authoring an NPM package, you can rely on npm-shrinkwrap.json
to have a reproducible dependency tree using any NPM
version.由于您的项目与编写 NPM 包无关,因此您可以依靠
npm-shrinkwrap.json
使用任何NPM
版本获得可重现的依赖关系树。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.