The below question refers to a project I'm not publishing to npm.
In NPM 3, if I had a package in devDependencies and ran shrinkwrap (without --development) then npm-shrinkwrap.json would not include the packages in devDependencies.
But with NPM 5, packages in dependencies and devDependencies are added to package-lock.json, with those from devDependencies having "dev": true.
So, if I'm just using npm install x to add packages and npm install to install everything on, say, a build server, is a package listed in dependencies treated any differently from a package listed in devDependencies?
It will make sense on production. When you'll need to install all packages, except dev.
npm i --production
From npmjs.org:
With the --production flag (or when the NODE_ENV environment variable is set to production), npm will not install modules listed in devDependencies.
Related
I have a Node.js project which has several dependencies.
I created the package.json file (npm init)
and try to install all the relevant packages
(npm install all) or (npm install)
with npm install I'm getting the following result:
npm notice created a lockfile as package-lock.json. You should commit this file.
but
when I'm trying to run, I'm getting error that a package is missing (i.e express and I need to install it manually)
Is there a way (command) to install at once (with one command) all the relevant packages and dependencies ? (instead of install each of the package manually) ?
Update 1:
I think I found the solution to your problem, you can use this npm module for auto installing your dependencies.
Install
npm install -g auto-install
Usage
Run auto-install in the directory you are working in.
So npm is simple!
you can add a single package using npm install package-name
or
you can install all using npm install, this will read your package.json file and install all the packages which are in there
Additionally you can do this:
npm install package1 package2 package to install multiple packages.
If a required dependency is not installed, just install it once manually using npm's --save argument and it will automatically add that dependency to your package.json.
For instance, if you are missing the express dependency, just run:
npm install --save express
That will install the dependency in your node_modules folder and also automatically update your package.json file to include express. On subsequent installs on different machines, you'll now only need to run npm install and the express package will be added automatically.
Update with a little more context: In Node your package.json file defines all dependencies that are required for your project. However, these dependencies are not automatically generated for you. npm init will create a boilerplate package.json, but it will not fill that package.json with any dependencies.
You need to define the dependencies yourself, which you can do one of two ways:
Manually add lines to your package.json's dependencies section
Use npm install --save <package name> to have npm install a package and automatically save that package as a dependency in your package.json file
If you aren't familiar with package.json files, I'd recommend sticking to approach number 2 so that npm handles editing that file for you.
Once you have a package.json with all of the dependencies you need, then when you pull down your project onto new machines you will be able to automatically install all dependencies at once using a simple npm install command. You can test this on your own machine by deleting the node_modules folder and running npm install, then trying to run your project. If it runs fine then you successfully added all dependencies to your package.json. If it complains about a missing package then add that package with npm install --save <package>
I'm still using node v6 and npm v3 and planning to move to node v8 and npm v5
I use npm in client(Angular2) and server side(Express)
These are the steps i follow to manage node modules in
npm v3
to save in package.json and update npm-shrinkwrap.json
npm install packagename#version --save
to save in package.json dependency and not to update npm-shrinkwrap.json
npm install packagename#version --save-dev
npm install will install dependency and dependencies but will not update npm-shrinkwrap.json file
npm run build builds front end code using webpack
npm prune --production removes all devDependencies after the build process and will not update npm-shrinkwrap.json file
What i'm facing in
npm 5.4.2
npm install installs modules and updatespackage-lock.json with dependency and devDependencies if any change in version
npm run build builds front end code using webpack
npm prune --production removes all devDependencies from node_modules and package-lock.json
How we can enforce keeping dependency alone in package-lock.json ?
Any other recommendations on build process ?
Should we keep devDependencies in node_modules if its not used in production?
------ Update on 10/25/2017 -------
To remove devDependencies without updating package-lock.json
try npm prune --production --no-package-lock
If I update the package.json file in an NPM workflow app, what command do existing users run to update their local node_modules dependencies?
To start using it, they run:
$ npm install
So what do they run if there is a change to the package.json file? Or do they just delete the folder and re-run the npm install command?
To re-validate the package.json and install adjusted versions or new packages:
$ npm install
The one thing this won't do is remove packages that aren't in package.json. To do that, run:
$ npm prune
If you've only changed package versions and not added new packages:
$ npm update
If you you've updated a specific package version:
$ npm update {packagename}
You should either do
npm install && npm prune
or
npm upgrade && npm prune
npm install will be faster than npm upgrade because it only updates packages in node_modules if package.json demands a newer version. npm uprade, on the other hand, will download updates to dependencies if they are available, which may include bug fixes. For ≥npm-5, you should use npm install because npm upgrade will have the side-effect of modifying any package-lock.json file which should not be modified unless if you are the package’s maintainer.
npm prune is necessary because the updates to package.json may have removed dependencies. If you do not run npm prune, packages installed by a prior version of package.json will remain in the node_modules directory that would not be there if you freshly downloaded/cloned the project and ran npm install. Due to how some packages conditionally call require() or even scan the node_modules directory, leaving packages which were removed from package.json can result in unexpected behavior.
I have a bunch of devDependencies needed in order to run test suite and have production dependencies locked down with npm shrinkwrap. The problem is that when I run npm install, only production dependencies are installed, in order to install devDependencies, I have to remove npm-shrinkwrap.json and run it again.
Now if shrinkwrap contains devDependencies as well, they get installed in production, where they are not required. Surely there should be some command line arguments to force only normal dependencies to be installed?
September, 2016:
As others have mentioned as well, there were some huge efforts to enhance the shrinkwrap feature starting with npm v3.10.8.
Thanks to this, it'll be possible to keep your devDependencies locked while installing only the production dependencies:
npm shrinkwrap --dev
npm install --only=prod
2013 answer:
As stated in the NPM docs:
Since npm shrinkwrap is intended to lock down your dependencies for
production use, devDependencies will not be included unless you
explicitly set the --dev flag when you run npm shrinkwrap. If
installed devDependencies are excluded, then npm will print a warning.
If you want them to be installed with your module by default, please
consider adding them to dependencies instead.
Basically, or you lock down all deps, or only the production deps.
Not even running npm install --dev or npm install --force can transcend the shrinkwrap functionality.
It looks like this feature was recently added in v3.3 of the npm client per the changelog
You'll now be able to run npm install --only=prod to achieve the effect you wish.
EDIT 2016/09/13
I've tested out npm v3.10.8, and this functionality now works as expected. We've shrinkwrapped our devDependencies and can install only prod dependencies when we deploy.
I think it's worth mentioning that this feature should start working as expected very soon. According to this github issue, tons of people were running into the same problem, and according to this pull request, it will be in the next release (scheduled for 2016-09-08).
With the pull request merged in, all you would have to do is:
npm i --only=prod
As to npm 5 (I've tried on 5.5.1 and 5.6.0), --production (--only=prod) flag is problematic.
When package-lock.json exists in the folder,
npm shrinkwrap --production
simply changes the file name to npm-shrinkwrap.json.
How I managed to solve this issue is to run:
npm prune --production
and then run:
npm shrinkwrap --production
This is fixed in npm 3.10.8; npm install --production shouldn't install dev deps in a shrinkwrap created by npm shrinkwrap --dev: https://github.com/npm/npm/releases/tag/v3.10.8
What is the practical difference between npm install and npm update? When should I use which?
The difference between npm install and npm update handling of package versions specified in package.json:
{
"name": "my-project",
"version": "1.0", // install update
"dependencies": { // ------------------
"already-installed-versionless-module": "*", // ignores "1.0" -> "1.1"
"already-installed-semver-module": "^1.4.3" // ignores "1.4.3" -> "1.5.2"
"already-installed-versioned-module": "3.4.1" // ignores ignores
"not-yet-installed-versionless-module": "*", // installs installs
"not-yet-installed-semver-module": "^4.2.1" // installs installs
"not-yet-installed-versioned-module": "2.7.8" // installs installs
}
}
Summary: The only big difference is that an already installed module with fuzzy versioning ...
gets ignored by npm install
gets updated by npm update
Additionally: install and update by default handle devDependencies differently
npm install will install/update devDependencies unless --production flag is added
npm update will ignore devDependencies unless --dev flag is added
Why use npm install at all?
Because npm install does more when you look besides handling your dependencies in package.json.
As you can see in npm install you can ...
manually install node-modules
set them as global (which puts them in the shell's PATH) using npm install -g <name>
install certain versions described by git tags
install from a git url
force a reinstall with --force
npm install installs all modules that are listed on package.json file and their dependencies.
npm update updates all packages in the node_modules directory and their dependencies.
npm install express installs only the express module and its dependencies.
npm update express updates express module (starting with npm#2.x, it doesn't update its dependencies).
So updates are for when you already have the module and wish to get the new version.
In most cases, this will install the latest version of the module published on npm.
npm install express --save
or better to upgrade module to latest version use:
npm install express#latest --save --force
--save: Package will appear in your dependencies.
More info: npm-install
npm update: install and update with latest node modules which are in package.json
npm install: install node modules which are defined in package.json(without update)
Many distinctions have already been mentioned. Here is one more:
Running npm install at the top of your source directory will run various scripts: prepublish, preinstall, install, postinstall. Depending on what these scripts do, a npm install may do considerably more work than just installing dependencies.
I've just had a use case where prepublish would call make and the Makefile was designed to fetch dependencies if the package.json got updated. Calling npm install from within the Makefile would have lead to an infinite recursion, while calling npm update worked just fine, installing all dependencies so that the build could proceed even if make was called directly.