[英]Is there a tool to validate/check that package.json and package-lock.json are consistent?
Sometimes people change package.json
and forget to run npm i
which will update package-lock.json
, or package.json
and package-lock.json
are otherwise out of sync.有时人们更改
package.json
并忘记运行npm i
这将更新package-lock.json
,或者package.json
和package-lock.json
否则不同步。 This is an assumption not to be discussed/questioned here.这是一个不在这里讨论/质疑的假设。 I am looking for a tool that helps detect such cases.
我正在寻找一种有助于检测此类情况的工具。
Do you know of an npm feature or third-party tool that can sanity-check package-lock.json
?您是否知道可以对
package-lock.json
进行完整性检查的 npm 功能或第三方工具? For example, it should resolve all transitive dependencies, and check that they all are mentioned in the lock file with a version in the correct semver range.例如,它应该解决所有传递依赖项,并检查它们是否都在锁定文件中提及,并且版本在正确的 semver 范围内。 It should tell whether it would make sense to run
npm i
in order to update your lockfile, or also whether npm ci
would get you all the dependencies required as defined in package.json
(accounting for transitivity).它应该说明运行
npm i
以更新您的锁文件是否有意义,或者npm ci
是否会为您提供package.json
定义的所有依赖项(考虑到传递性)。
I thought that npm --loglevel verbose install --dry-run
would be a reasonable candidate, but its output does not mention what it would do to package-lock.json
in case it would be run without --dry-run
.我认为
npm --loglevel verbose install --dry-run
将是一个合理的候选者,但它的输出没有提到它会对package-lock.json
做什么,以防它在没有--dry-run
情况下--dry-run
。 Of course one option would be to run npm i
and then git diff package-lock.json
(or similar), but that's dirty.当然,一种选择是运行
npm i
,然后运行git diff package-lock.json
(或类似的),但这很脏。
npm ls --depth 1
does these checks: npm ls --depth 1
执行以下检查:
for example, this is the output:例如,这是输出:
+-- UNMET DEPENDENCY fastify@^2.0.0
+-- foo@0.0.7 extraneous
`-- got@10.3.0
+-- @sindresorhus/is@1.2.0
+-- @szmarczak/http-timer@4.0.0
+-- @types/cacheable-request@6.0.1
+-- cacheable-lookup@0.2.2
+-- cacheable-request@7.0.1
+-- decompress-response@5.0.0
+-- duplexer3@0.1.4
+-- get-stream@5.1.0
+-- lowercase-keys@2.0.0
+-- mimic-response@2.0.0
+-- p-cancelable@2.0.0
+-- responselike@2.0.0
+-- to-readable-stream@2.1.0
`-- type-fest@0.9.0
npm ERR! missing: fastify@^2.0.0, required by asd@1.0.0
npm ERR! extraneous: foo@0.0.7
I get this doing:我这样做:
npm init --yes
npm i got
npm i foo
// removed foo manually from package json
// added fastify manually to package json
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.