As Title.
I am working with a team developing on a js application. However, sometimes we will build and deploy the application without aware of some of dependencies is updated. This causes some defects.
Is there any way we can resolve it? Let say any way to enforce checking dependency version before npm build/yarn run build.
You can use dependency locking, via a yarn.lock or a package-lock.json file. Checking in the lockfile will ensure that every developer is using the same versions of your dependencies.
Then, before building you can reinstall dependencies with yarn install or npm install or just validate that local installation matches with yarn install --check-files or npm ci.
You can remove the caret sign (^) before versions of packages from your package.json.
This will ensure that the exact version is installed every time you run npm i on the server.
Using package-lock.json as suggested in the other answer also helps achieve the same.
Related
I am now in charge of an app whose dependencies were installed using yarn. I am more familiar with NPM. Is switching over as easy as deleting the yarn.lock file and installing NPM to the project? The app hasn't been updated in a year or two so I'm trying to update everything.
Or maybe a better question is, can I install both NPM and yarn globally but pick and choose which one I use for what app? Will it cause issues if they are both installed globally on machine?
Thanks in advance
You can definitely have Yarn and NPM installed on the same machine without issue. NPM generally comes packaged with Node, so most people using Yarn will also have NPM installed, wether they use it or not.
In terms of switching a project from Yarn to NPM, it's a pretty straightforward process, like you described: remove yarn.lock and remove the existing node_modules directory just to avoid any issues.
The subtle issue here is that the yarn.lock will be the current source of truth for exactly which versions of each dependency (and sub-dependencies) is installed. So by removing the yarn.lock your package.json will now become the (incomplete) source of truth which will likely result in some dependencies being upgraded when you perform your first npm install -- then your package-lock.json will become the new strict source of truth.
Given you're planning on updating everything anyway, then this likely isn't going to be an issue, but it's worth keeping in mind as you're likely to see some minor dependency changes.
I work at a largish project with ~10 devs. We have package.json and the resulting package-lock.json committed, and our ci pipeline does npm ci to restore packages according to package-lock.json.
Currently, the developers are instructed to clone the repo and run npm install. However, I found that npm install will install different versions that match the version spec in package.json - for example, ^5.0.5 might cause npm install to install version 5.1.1, or to keep 5.0.5 if it was already in there.
So, I want to change the instructions for developers to:
(common case) If you don't want to change packages or package versions, only use npm ci
If you do, use npm install and/or npm update (possibly with --save-dev), test locally, and then commit the resulting package.json and pacakge-lock.json.
Are these instructions sound? Am I missing something?
Per documentation "this command is similar to npm install, except it's meant to be used in automated environments such as test platforms, continuous integration, and deployment -- or any situation where you want to make sure you're doing a clean install of your dependencies." (emphasis mine).
I prefer using it instead of "install", because it gives some insurances about state of node_modules folder.
It will remove modules folder, if it is present, which will remove everything that is not in lock file, but may accidentally be present from previous install.
It will throw an error if someone changed dependencies by hand and didn't updated lock file.
It will be faster than install, because it doesn't need to build new dependency tree, and it will preserve versions of dependencies which were installed by tag (like latest or next) or by wild card (*). And sometimes this is a very good thing - recent colors incident is a good illustration.
Basically it means that me and all my colleagues will get identical node_modules folder contents. One of the advantages of Yarn in early days were reproducible installs with lock-file, and it is considered a good practice.
I'm building a microservice app in a monorepo containing a bunch of microservices and a commons package. This commons package is never published to npm. (packages are managed with yarn workspaces)
Using parcel, the commons package is bundled into the production code, so I don't need to install it at run time.
Each microservice runs in its own docker container. So, when I build the docker container, Ideally, I'd want to ignore this "commons" dependency and install all the other ones. AFAIK, the only way to do this is to place the "commons" package in devDependencies.
However, it seems that even if I add it only to devDependencies and run npm i --only=production, npm still tries to resolve the package and still throws an ETARGET error.
Is there some way to completely ignore the devDependencies? My only other Idea is to write a script that removes the devDependencies field from the package.json before running npm install, but I wanted to ask here first to make sure I'm not missing anything.
There is a GitHub issue on the npm/cli repo tracking this issue here (#4967), where this behaviour is categorized as a bug.
So to answer your question, as far as the current status of the GitHub issue indicates, the intended behaviour is that devDependencies don't get attempted to be resolved in --production mode, and you shouldn't need to do anything extra to get this behaviour once the fix is made. I don't think you are missing anything.
The workaround you have thought of sounds reasonable to me.
On the GitHub issue, you can indicate "me too" with a thumbs up reaction (please don't spam the comments with "me too" comments).
To install packages only at production without devDependencies,
npm install --production
Docs about npm install is here.
I am a bit new to this whole CI/CD world but whenever I see the config.yml files there in any node js project there is always npm ci instead of npm install. I have read some things from docs but it's still unclear to me. Can someone please explain in clear and concise language?
npm install generates the package-lock.json for you. The file contains the exact version numbers of all dependencies that you installed as well as the version number of transitive dependencies, all bassed on what you defined in package.json. Note however that in your package.json you can define your version starting with ^ or ~, suggesting that you want to install the latest patch or minor version of a certain dependency. As a result, every time you run npm install your package-lock.json might end up containing slightly newer versions of your packages if available.
npm ci on the other hand doesn't not generate package-lock.json file. Quite the opposite. It requires your package-lock.json to already be there and it installs exactly the versions that are listed there. This is the command that you want to run on your CI/CD pipeline. This way you can ensure that your pipeline uses exactly the same dependencies you last used locally and can confirm that they worked for you.
I'm trying to set up a development environment with several packages, and as a result I need to manually install some dependencies. More specifically, I have some local changes in several packages which I need to test before I can push them to github, so I can't just npm install the top level because it won't pick up those change. So I run the first npm install manually on packages which are missing, and then try to run my node code and see which package it is still missing, then try to npm install what it says is missing.
However, when I go to install the second package, it ends up with this message:
added 3 packages from 4 contributors, removed 799 packages and audited 3 packages in 4.197s
The second install removed practically every package that was already installed! I didn't notice this until about the third time, when I realized that I seemed to be installing the same thing over and over.
However can I prevent this particularly naughty behavior and force npm to only install what I tell it to and leave everything else alone?
Have a look at npm link if you need to test against modified packages.
From npm link:
This is handy for installing your own stuff, so that you can work on it and test it iteratively without having to continually rebuild.
Say b is a dependency of a. You made changes to b and want to check if a still works with those changes. Instead of using b in node_modules installed from npm, use your local, modified version:
cd ~/projects/b # go into the package directory
npm link # creates global link
cd ~/projects/a # go into some other package directory.
npm link b # link-install the package
Now, any changes to ~/projects/b will be reflected in ~/projects/a/node_modules/b/.
If your development flow involves updating in parallel packages which depend on one another, you might consider switching your project's package manager to from npm to yarn to take advantage of yarn's workspaces feature.
Yarns's workspaces allow you to easily setup a single monorepo containing all your interconnected dependencies, and let yarn thinking how to link them together in your dev environment.
i had a similar problem today , & thought this might help someone in the future and l have found out that if you install simultaneouly it
npm install --save package1 package2 package3 ...
it worked as l had
npm install xlsx angular-oauth2-oidc
but if you install separately it will have issues
Edit 2 More infor by #Michael
installing multiple packages in the same command also prevents hooks from being installed multiple times
Remove "package-lock.json" file befor installing the new package.
Are you saving the dependencies to package.json?
To Save : npm install --save {package_name}. This will save the package to package.json and install using npm install.
You can't particularly control the dependencies(fully). The dependencies which you have installed might be using dependencies themselves.So when you remove a package, npm deletes all the package's dependencies and the package.