Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
463 views
in Technique[技术] by (71.8m points)

versioning - Npm; is package-lock.json redundant if package.json only specifies exact versions?

I struggle with npm's package.json and package-lock.json duality. I believe this question may provide insight regarding how these files relate to each other:

If we define a package.json file which only specifies exact versions for all dependencies, e.g.:

...
  "dependencies": {
    "dep1": "1.2.3",
    "dep2": "4.5.6"
  }
...

and never any ambiguous versions, such as:

...
  "dependencies": {
    "dep1": "^1.2.3",
    "dep2": "4.5.*"
  }
...

then would there ever be a reason to also maintain a package-lock.json file? (And if so, what is such a reason?)

question from:https://stackoverflow.com/questions/66067402/npm-is-package-lock-json-redundant-if-package-json-only-specifies-exact-version

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

The package-lock.json is not redundant even if you pin specific version of your dependency.

package-lock.json protects you from transitive dependencies - any dependency that is induced by the components that the program references directly.

It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates

For example:

  1. A → B
  2. It is not the case that B → A
  3. B → C

Then the dependency A → C (which follows from 1 and 3 by the axiom of transitivity) is a transitive dependency.

Note that B can use any non-exact version constraint on C, such as >= X. So it might be that when C dependency is resolved, each time it can be any version bigger than X. package-lock.json will guarantee that is not the case.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...