运行 npm outdated 以检查哪些软件包已过时.红色条目将使用 npm update 自动更新.其他条目需要人工干预.对于具有主要版本颠簸的软件包,请安装具有版本规范的软件包(例如 npm install browserify@11.2.0 --save-dev).更新可能出现的其他问题必须手动处理.阅读该软件包的新闻提要或发布历史通常有助于进一步了解与以前版本相比发生了什么变化.这还不够简单,还有其他方法吗?在继续之前,始终值得一提的是,出于某种原因,软件包具有符合 SemVer 的版本定义.应该避免盲目安装每个软件包的最新版本.虽然这样一个完整的更新可以完成,并且有可用的工具,但还是建议谨慎行事.例如,如果剩余的 React 组件和库与 react@15.x.x 不兼容,您就不想安装 React 15.另请参阅 npm 的博文:为什么使用 SemVer?我会把握机会.还有哪些工具?仅举几例:npm-check-updates 会做问题中最初提出的问题是:安装和更新所有依赖项的版本,而不管给定的范围限制如何.然而,对于这项工作,这将是最不推荐的工具.updtr 会一一更新依赖,回滚到如果项目的测试失败,则使用以前的版本,这可能会在测试覆盖率良好的项目中节省时间.npm-check 提供了一个交互式命令行界面,可让您轻松选择要更新的软件包.这与 npm 5 有什么不同吗?从主要版本 5 开始,npm 将自动创建一个 "package-lock.json",当一个shrinkwrap不存在时,它将填补指定依赖树的作用.更详细的描述可以在 package-locks 文档 中找到.一般来说,npm-shrinkwrap.json 是用来发布的,而 package-lock.json 是用来开发的.这就是为什么您还应该将package-lock.json"提交到存储库.纱线怎么样?Yarn,一个与 npm 兼容的依赖管理器,在使用时自动创建一个锁文件,其行为类似于 npm收缩包装.调用 yarn upgrade «package» 将更新一个依赖项到latest 标记中的版本,无论 package.json 或锁定文件中记录的版本范围如何.使用 yarn upgrade-interactive 还允许您有选择地将包升级到最新版本,这与 npm-check 不同.$ yarn outdated纱线过时 v0.16.1包当前通缉最新巴贝尔 eslint 7.0.0 7.0.0 7.1.0柴 3.0.0 3.0.0 3.5.0在 0.84 秒内完成.$ yarn upgrade babel-eslint chai纱线升级 v0.16.1[1/4] 解析包...[2/4] 正在获取包...[3/4] 链接依赖...[4/4] 构建新鲜包...成功保存锁文件.成功保存了 2 个新的依赖项.├─ babel-eslint@7.1.0└─ 柴@3.5.0I have an npm package with a fixed version that has an update.Example package.json extract:devDependencies: { "someFixedVersionPackage": "1.0.0", //1.1.0 is latest "anotherFixedVersionPackage": "2.3.2", //2.3.4 is latest}Does an npm command exist which installs the latest version of that package and updates the package.json, preferably all packages at once?To be clear, I want the package.json snippet above to be updated to this, in addition to the packages themselves being updated:devDependencies: { "someFixedVersionPackage": "1.1.0", //latest "anotherFixedVersionPackage": "2.3.4", //latest}Thank you. 解决方案 Why doesn't npm update work here?As per the documentation on npm update:Since your packages are defined with a fixed version, the update sub-command will not update those to respect semantic versioning. Therefore, it will only automatically update your packages if you specify a greater version range for each package. Note that it is actually typical in an npm project to specify a loose range version; one that is meant to avoid breaking changes but still leaves room for improvements and fixes.Still, why shouldn't I fix dependency versions in my package.json?Having a list of dependencies with a fixed version does not mean that the dependencies installed will always be the same, because the dependencies of your dependencies will most likely also be defined with a version range. In order to keep track of a list of tested version-tagged dependencies, npm provides another mechanism: package locks.Before version 5 of npm, you can create a "npm-shrinkwrap.json" file with the shrinkwrap command:Since npm 5, a "package-lock.json" is automatically generated when an npm operation modifies the "node_modules" tree or "package.json".Rather than modifying package.json, either one of these package locks will override the default behaviour of npm install, installing dependencies with the versions specified by the lock, right when they were created or manually updated. With that out of the way, your dependencies can now be expanded without the risk of dependents installing untested package versions.Shrinkwraps are used for publishing packages. To shrinkwrap a package:Run npm install in the package root to install the current versions of all dependencies.Validate that the package works as expected with these versions.Run npm shrinkwrap, add npm-shrinkwrap.json to git, and publish your package.At this point, dependency versions can be loosened in your package.json (this will hopefully be done only once every major dependency update), so that later on they can be updated at will with npm update:"devDependencies": { "someFixedVersionPackage": "^1.0.0", "anotherFixedVersionPackage": "^2.3.2",}The package-lock.json file can be used instead of a shrinkwrap, and is more suitable for reproducing a development environment. It should also be committed to the repository.So how do I update my dependencies?Calling npm update will do what's mentioned above: update dependencies while respecting semantic versioning. To add or upgrade a dependency in a package:Run npm install in the package root to install the current versions of all dependencies.Add or update dependencies. npm install --save each new or updated package individually to update the package.json, as well as the existing package locks ("package-lock.json" and "npm-shrinkwrap.json"). Note that they must be explicitly named in order to be installed: running npm install with no arguments will merely reproduce the locked dependencies.Validate that the package works as expected with the new dependencies.Commit the new package locks.Moreover, here are a few tips for a smooth transition from a project with fixed dependencies:If you haven't done so, expand the version range by adding a tilde (~) before the version specifier, or a caret (^). npm update will then attempt to install all patch revisions and minor revisions, respectively (major version 0 is a corner-case, see the documentation). For instance, "^1.0.0" can now be updated to "^1.1.0", and "~2.3.2" can be updated to "~2.3.4". Adding the --save or --save-dev flags will also update the "package.json" with the installed version (while keeping the previous range specifiers).Run npm outdated to check which packages are outdated. Entries in red will be updated automatically with npm update. Other entries will require a manual intervention.For packages with major version bumps, install that package with a version specification (e.g. npm install browserify@11.2.0 --save-dev). Further issues that may arise with the update will have to be handled manually. It usually helps to read the news feed or the release history on that package to further understand what has changed from previous versions.This is not simple enough, is there another way to do this?Before continuing, it is always worth mentioning that packages have a SemVer-compliant version definition for a reason. One should avoid blindly installing the latest version of every single package. Although such a full update can be done and tools are available for that, some caution is advised. For instance, you would not want to install React 15 if the remaining React components and libraries are not compatible with react@15.x.x. See also npm's blog post: Why use SemVer?I'll take my chances. What other tools are there?To name a few:npm-check-updates will do what was initially asked in the question: install and update the versions of all dependencies, regardless of the given range constraint. This would be the least recommended tool for the job, however.updtr will update dependencies one by one and roll back to the previous version if the project's tests fail, which may save time in projects with good test coverage.npm-check provides an interactive command-line interface, which allows you to easily select which packages to update.Is this any different with npm 5?Since major version 5, npm will automatically create a "package-lock.json", which will fill the role of specifying the dependency tree when a shrinkwrap does not exist. A more detailed description can be found in the package-locks documentation. In general, npm-shrinkwrap.json is meant to be used when publishing, whereas package-lock.json is to be used in development. This is why you should also commit "package-lock.json" to the repository.What about with Yarn?Yarn, an npm-compatible dependency manager, creates a lock file automatically on use, which behaves similarly to the npm shrinkwrap. Calling yarn upgrade «package» will update one dependency to the version in the latest tag, regardless of the version range recorded in the package.json or the lock file. Using yarn upgrade-interactive also allows you to selectively upgrade packages to the latest version, not unlike npm-check.$ yarn outdatedyarn outdated v0.16.1Package Current Wanted Latestbabel-eslint 7.0.0 7.0.0 7.1.0chai 3.0.0 3.0.0 3.5.0Done in 0.84s.$ yarn upgrade babel-eslint chaiyarn upgrade v0.16.1[1/4] Resolving packages...[2/4] Fetching packages...[3/4] Linking dependencies...[4/4] Building fresh packages...success Saved lockfile.success Saved 2 new dependencies.├─ babel-eslint@7.1.0└─ chai@3.5.0 这篇关于从命令行更新具有固定依赖项的 npm 包的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云!