Do you really understand NPM dependencies?

Tram Ho

You are writing a mobile/web app, you have a set of components and want to package it up into a library and publish it to npm for the community to use…

Then do you know…

  • Will your yarn.lock file be ignored when someone else installs the library?
  • Did you know that means that every test suite you run works fine on your machine but is completely buggy on the user’s machine unless you don’t use version numbering like ^1.0.0 and just hardcode it to 1.0.0 ?
  • Did you realize that ^1.0.0 ‘s default automatically gets minor version updates, but they can be quite significant, even a few breaking changes ?
  • Did you know that larger libraries like material-ui /core usually don’t want to change the major version , so some major changes can be updated via minor version ?
  • Did you know if you run yarn upgrade , it can update what’s in your yarn.lock file but will ignore package.json ?
  • Do you realize that this means that if you depend on the results of running yarn upgrade , it might ship bugs to the users of your library?

The above are just a few things you should keep in mind, you can completely accept the risk of updating minor version and continue using it, but it could explain some problems for users of your library (if yes).

Fun fact: If you have a version of ^1.0.0 in your package.json, you update it then in the lockfile it will show as 1.1.0 but then you install another library that requires version 1.0.1 (hard code), yarn will decide to downgrade you to 1.0.1 (and there will be no duplicate in yarn.lock, simply version 1.1.0 in yarn.lock will be downgraded to 1.0.1 )

https://vir.vn/ban-co-thuc-su-hieu-npm-dependencies/

https://cmdcolin.github.io/archives

Share the news now

Source : Viblo