使用“npm ci”而不是“npm install”进行确定性项目设置
[英]Using "npm ci" instead of "npm install" for deterministic project setup
问题描述
Given a project where the package-lock.json is managed in source control with the goal that all developers on the team get exactly the same dependencies.
给定一个项目,其中package-lock.json在源代码控制中进行管理,目标是团队中的所有开发人员都获得完全相同的依赖项。
From the documentation of npm I think developers should use npm ci to set up their development environment and probably also later when dependencies are updated.从 npm 的文档来看,我认为开发人员应该使用npm ci来设置他们的开发环境,并且可能在以后更新依赖项时也应该使用。
However the instructions I see in typical npm projects is still to use npm install .但是,我在典型的 npm 项目中看到的说明仍然是使用npm install 。
Is there a reason developers should use npm install instead of npm ci ?开发人员是否有理由使用npm install而不是npm ci ? Does npm ci have disadvantages in this scenario? npm ci在这种情况下有缺点吗?
I understand that npm ci does delete the whole node_modules and therefore potentially re-download some dependencies that were already present.我了解npm ci确实删除了整个node_modules ,因此可能会重新下载一些已经存在的依赖项。
But with npm install I had regularly the case that an npm install is actually changing the package-lock.json (see links below), which is definitely not what is expected in a traditional project setup, where the main goal is that all developers get the same environment.但是在npm install ,我经常遇到这样的情况,即npm install实际上是在更改package-lock.json (请参阅下面的链接),这绝对不是所有开发人员在传统项目设置中所期望的主要目标,相同的环境。
Therefore I would like to recommend to use npm ci .因此我想推荐使用npm ci 。
Examples of "unexpected" behavior of npm install : npm install的“意外”行为示例:
- Why does "npm install" rewrite package-lock.json? 为什么“npm install”会重写 package-lock.json?
- https://github.com/npm/npm/issues/17722 https://github.com/npm/npm/issues/17722
- https://npm.community/t/package-lock-json-keeps-changing-between-platforms-and-runs/1129/3 https://npm.community/t/package-lock-json-keeps-sharing-between-platforms-and-runs/1129/3
- https://github.com/npm/npm/issues/20434 https://github.com/npm/npm/issues/20434
- https://npm.community/t/package-lock-json-changes-from-one-npm-install-to-the-next/1454 https://npm.community/t/package-lock-json-changes-from-one-npm-install-to-the-next/1454
2 个解决方案
解决方案1
0 2022-07-01 16:56:40
There isn't a reason to use npm ci instead of npm i when building a repo locally or updating dependencies (because it uses the npm cache, it's roughly the same speed as npm i ), but there are the following situations where npm i might be preferred:在本地构建 repo 或更新依赖项时,没有理由使用npm ci代替npm i (因为它使用 npm 缓存,它的速度与npm i大致相同),但是有以下情况npm i可能优先:
- You actually want to receive minor/patch updates of your direct dependencies automatically;您实际上希望自动接收直接依赖项的次要/补丁更新;
- if you've made manual changes to versions in
package.jsonand want them to trump the versions inpackage-lock.json.如果您对package.json中的版本进行了手动更改,并希望它们胜过package-lock.json中的版本。
解决方案2
0 2022-08-21 11:13:21
You should use npm ci (clean install) whenever you want a reproducible environment.只要您想要一个可重现的环境,就应该使用npm ci (全新安装)。 You are right: the dev team should use it most of the time.你是对的:开发团队大部分时间都应该使用它。
Use npm install only when they modify the packages or are ready to upgrade dependencies (one of them does it and fixes conflicts; after the commit of package.json AND package-lock.json , the others keep doing npm ci ). Use npm install only when they modify the packages or are ready to upgrade dependencies (one of them does it and fixes conflicts; after the commit of package.json AND package-lock.json , the others keep doing npm ci ).
Please, see my answer explaining the uses of each tool.请参阅我的回答,解释每种工具的用途。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.