问题描述
最近我尝试用 Yarn 安装我的 Node 包.它工作得很好,而且比 NPM 快得多.Yarn 自动生成 yarn.lock
.我们已经有了 NPM 收缩包装(npm-shrinkwrap.json
).
Recently I tried installing my Node packages with Yarn. It works great and it's a lot faster than NPM. Yarn automatically generates yarn.lock
. We already have NPM shrinkwrap (npm-shrinkwrap.json
).
它们之间有什么区别吗?yarn.lock
比 npm-shrinkwrap.json 有什么优势吗?
Is there any difference between them?Does yarn.lock
has any advantage over npm-shrinkwrap.json?
推荐答案
yarn.lock
文件与其他包管理器的锁文件非常相似,尤其是 Rust 的 Cargo 包管理器,它有 货物锁
.这些锁定文件的想法是代表一组应该始终有效的一致包.
The yarn.lock
file is quite similar to other package managers' lock files, especially Rust's Cargo package manager, which has Cargo.lock
. The idea of these lock files is to represent a consistent set of packages that should always work.
npm
将依赖范围存储在 package.json
文件中,这意味着当有人安装你的包时,他们可能会得到一组不同的依赖给你,因为你可能正在运行过时的包(尽管它们仍然满足您指定的依赖范围).例如,某人指定了依赖项 "foo": "^1.0.0"
.他们可能实际上安装了 foo v1.0.1,因为那是他们运行 npm install
时的最新版本,但后来有人安装了您的软件包并获得了依赖项 foo v1.1.0.这可能会意外破坏某些内容,如果您有一个 yarn.lock
文件来保证一致的包解析,则可以避免这种情况.
npm
stores dependency ranges in the package.json
file, which means that when someone installs your package, they might get a different set of dependencies to you, since you might be running outdated packages (although they still satisfy the dependency range you specified). Take, for example, someone who has specified the dependency "foo": "^1.0.0"
. They might have actually installed foo v1.0.1, because that was the latest when they ran npm install
, but later on, someone installs your package and gets the dependency foo v1.1.0. This might break something unexpectedly, which can be avoided if you have a yarn.lock
file which guarantees consistent package resolution.
至于与 npm shrinkwrap
的比较,文档解释得很清楚:
As for comparison with npm shrinkwrap
, the documentation explains it very clearly:
它类似于 npm 的 npm-shrinkwrap.json,但它不是有损的,并且可以创建可重现的结果.
文档还建议将 yarn.lock
提交到您的存储库,如果您还没有这样做,那么您可以获得一致和可重现的包解析的好处.这个问题也解释了进一步说明为什么要这样做.
The documentation also advises committing yarn.lock
to your repositories, if you're not already doing this, so you can reap the benefits of consistent and reproducible package resolution. This question also explains further why you should do this.
npm shrinkwrap
的有损行为是由于 npm
本身使用的非确定性算法造成的;如另一个答案的评论中所述,npm shrinkwrap
> npm install
> npm shrinkwrap
不能保证产生与仅收缩包装一次相同的输出,而 Yarn 明确使用一种确定性和可靠的安装算法".
The lossy behaviour of npm shrinkwrap
is due to the non-deterministic algorithms used by npm
itself; as stated in the comments of another answer, npm shrinkwrap
> npm install
> npm shrinkwrap
is not guaranteed to produce the same output as just shrinkwrapping once, whereas Yarn explicitly uses "an install algorithm that is deterministic and reliable".
这篇关于yarn.lock 和 npm 的shrinkwrap 有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!