可以在 webpack.config.js 中链接节点模块文件吗?
[英]Is it okay to link node modules files in webpack.config.js?
问题描述
In some projects, I saw developers didn't link to node_modules files in webpack.config.js (eg. "./node_modules/boostrap/dist/js/boostrap.bundle.js"), instead, they copied the file to assets/js and linked it there.
在一些项目中,我看到开发人员没有链接到 webpack.config.js 中的 node_modules 文件(例如“./node_modules/boostrap/dist/js/boostrap.bundle.js”),而是将文件复制到资产/js 并将其链接到那里。 Some of my friends also told me that they prefer this option because they never feel safe with linking to node_modules (I guess as somebody may use npm update ...?)我的一些朋友还告诉我,他们更喜欢这个选项,因为他们从来没有对链接到 node_modules 感到安全(我猜因为有人可能会使用npm update ...?)
What would you call a "good practice"?你认为什么是“好的做法”? Is it totally fine to link to node_modules?链接到 node_modules 完全没问题吗? If not - what wrong can happen?如果没有 - 会发生什么错误?
I used this method in small projects as I don't think there is a need for doubling files but in larger - for peace of mind - I used the path to assets我在小型项目中使用了这种方法,因为我认为不需要将文件加倍,但在更大的项目中 - 为了安心 - 我使用了资产路径
1 个解决方案
解决方案1
1 已采纳 2019-03-10 00:03:33
It can be okay to do it.可以这样做。 Purely from the build step perspective, it doesn't make a difference.纯粹从构建步骤的角度来看,它没有什么区别。
The trade offs you are making between using the node modules as npm provides them (node_modules) and storing your own copies, in an assets or vendors folder, are about:您在使用 npm 提供的节点模块 (node_modules) 和将您自己的副本存储在assets或vendors文件夹之间进行权衡,大约是:
- security安全
- source code management & development efficiency源代码管理和开发效率
- storage space储存空间
When all the thousands of developers around the world create little pet projects and push them to Github, it wouldn't make sense for all of them to store their own copy of JQuery and then push it into their Github repo.当全世界成千上万的开发人员创建小项目并将它们推送到 Github 时,让他们所有人存储自己的 JQuery 副本,然后将其推送到他们的 Github 存储库中是没有意义的。 Instead we push a package.json file that lists it as a dependency, we do this for every third party dependency and prevent creating a repository where a lot (even most) of the code is not application code, but dependencies.相反,我们推送一个将其列为依赖项的 package.json 文件,我们为每个第三方依赖项执行此操作,并防止创建一个存储库,其中很多(甚至大部分)代码不是应用程序代码,而是依赖项。 That is good.那很好。
On the other hand, if a developer always downloads dependencies every time a new project is started/cloned/forked, you potentially risk, with every module download, the chance of installing a compromised package version.另一方面,如果开发人员总是在每次启动/克隆/分叉新项目时都下载依赖项,那么每次下载模块时,您都有可能安装受损软件包版本的风险。 For this we solve with vulnerability scanners, semantic versioning and lock files ( package-lock.json ) to give you control on how and when you get updates.为此,我们使用漏洞扫描器、语义版本控制和锁定文件 ( package-lock.json ) 来解决此问题,让您可以控制获取更新的方式和时间。
Another problem with downloading always is the bandwidth it consumes.下载的另一个问题是它消耗的带宽。 For this we solve with a local cache.为此,我们使用本地缓存解决。 So, even if you uninstall a module from one project, npm doesn't really delete it from your drive.因此,即使您从一个项目中卸载了一个模块,npm 也不会真正从您的驱动器中删除它。 It keeps a copy on a cache folder.它将副本保存在缓存文件夹中。 This works really well for most developers, but not so much in an enterprise environment with massive applications.这对大多数开发人员来说非常有效,但在具有大量应用程序的企业环境中则不然。
A problem, that has impacted already the world severely, is that if a module author decides to delete the code then lots of apps stop working because they can't find the dependency anymore.一个已经严重影响世界的问题是,如果模块作者决定删除代码,那么许多应用程序将停止工作,因为他们无法再找到依赖项。 See left-pad broke Node, Babel... (It also broke things at my work)见左键盘坏了节点,巴贝尔...... (它也破坏了我工作中的东西)
The issue with moving things out from node_modules to assets is that if your app has 100 dependencies, your are not going to want to do that 100 times.将东西从node_modules到assets在于,如果您的应用程序有 100 个依赖项,您不会想要这样做 100 次。 You might as well save in your source control system the complete source code found in node_modules .您不妨将在node_modules找到的完整源代码保存在源代码控制系统中。 That comes at a price of course, that folder can have a huge size.当然,这是有代价的,该文件夹可能会很大。
A good balance can be found by using different tools and approaches.通过使用不同的工具和方法可以找到一个很好的平衡。 Wether you vendorize third party dependencies (store your own copy) or not depends on what has the better cost/risk ratio in your situation.您是否供应第三方依赖项(存储您自己的副本)取决于在您的情况下什么具有更好的成本/风险比。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.