NPM & Lockfiles

❤️ A Love Story ❤️

 

Danielle Adams / BrooklynJS

@adamzdanielle

$ npm list
$ npm test

what is SemVer?

SemVer is Semantic Versioning - the versioning standard used by npm libraries.

example: 2.5.12

  • 2.x.x MAJOR
  • x.5.x MINOR
  • x.x.12 PATCH

I'm working on an library - please trust my judgement and understanding of SemVer!

shrinkwrap to the rescue!

  • locks dependencies!
  • works with npm command line tool!
  • minimal configuration upfront!

hold on. what is locking?

In code bases, such as a JavaScript application, there are several dependencies and libraries used for both runtime and development. These have child dependencies and so on - creating a dependency tree.

Dependency locking freezes the dependency tree or parts of it to ensure a consistent build across all computers.

{
  "name": "my-app",
  "version": "0.1.3",
  "dependencies": {
    "ember-power-select": {
      "version": "1.8.5",
      "dependencies": {
        "ember-basic-dropdown": {
          "version": "0.32.9",
          "dependencies": {
            "ember-native-dom-helpers": {
              "version": "0.5.8"
            }
          }
        }
      }
    }
  }
}


$ npm list

I'm going to lock all my libraries with a shrinkwrap file!

If a child dependency publishes a shrinkwrap file with their module, it will overwrite dependencies at the application level.

maybe it could be better?

💔

why can't we have a complete lock file?

In late 2016, Facebook released Yarn, a JavaScript package manager and command line tool replacement for NPM. When installing dependencies it generates a yarn.lock file (among other cool things).

❤️

what's a Lockfile?

A Lockfile is a generated file that specifies the exact version of every single dependency in the tree.

If the file exists, it installs the tree exactly as represented in the lock file.

Getting other developers to move to a different command line tool can be challenging.

App

Team 1

Team 2

$ git revert relationship

💔

can't I just use npm?

In spring of 2017, npm finally released their version 5, which had the ability to generate a package-lock.json file.

❤️

{
  "ember-power-select": {
    "version": "1.8.5",
    "resolved": "https://registry.npmjs.org/ember-power-select/-/ember-power-select-1.8.5.tgz",
    "integrity": "",
    "dev": true,
    "requires": {
      "ember-basic-dropdown": "0.32.9",
      "ember-cli-babel": "6.11.0",
      "ember-cli-htmlbars": "2.0.3",
      "ember-concurrency": "0.8.12",
      "ember-text-measurer": "0.3.3",
      "ember-truth-helpers": "1.3.0"
    },
    "dependencies": {
      "amd-name-resolver": {
        "version": "0.0.7",
        "resolved": "https://registry.npmjs.org/amd-name-resolver/-/amd-name-resolver-0.0.7.tgz",
        "integrity": "",
        "dev": true,
        "requires": {
          "ensure-posix-path": "1.0.2"
        }
      }
    }
  }
}

package-lock.json 4ever

  • locks dependencies!
  • works with npm command line tool!
  • minimal configuration upfront!

👩‍👩‍👧‍👦

to summarize...

+

🔒

=

❤️

thank you! ❤️

Danielle Adams

slides.com/danielleadams/npm-lockfiles

@adamzdanielle