request
version 2 and some-other-library
, but some-other-library
depends on request
version 1, the resultingdependency graph looks like:some-other-library
has its own copy of request
v1 that it can use, while notinterfering with my package's v2 copy. Everyone's code works!<script>
s you would drop into your page that would attach things to jQuery.prototype
for your later convenience.chai-as-promised
plugin work withchai
version 0.5, whereas versions 3.x work with chai
1.x. Or, in the faster-paced and less-semver–friendly world ofGrunt plugins, version 0.3.1 of grunt-contrib-stylus
works with grunt
0.4.0rc4, but breaks when used with grunt
0.4.0rc5 due to removed APIs.'dependencies'
hash in package.json
, clearly falls down for plugins. Most plugins never actuallydepend on their host package, i.e. grunt plugins never do require('grunt')
, so even if plugins did put down their hostpackage as a dependency, the downloaded copy would never be used. So we'd be back to square one, with your applicationpossibly plugging in the plugin to a host package that it's incompatible with.package.json
would result in a dependency tree with multiple copies of thehost package—not what you want. For example, let's pretend that winston-mail
0.2.3 specified 'winston': '0.5.x'
inits 'dependencies'
hash, since that's the latest version it was tested against. As an app developer, you want thelatest and greatest stuff, so you look up the latest versions of winston
and of winston-mail
, putting them in yourpackage.json
asnpm install
results in the unexpected dependency graph ofjitsu
0.11.6 with npm1.2.10:jitsu
depends on two Flatiron-related packages, which themselves peer-depend on conflicting versionsof Flatiron. Good thing npm was around to help us figure out this conflict, so it could be fixed in version 0.11.7!package.json
:chai-as-promised
, the chai
package will come along with it. And if later you try to installanother Chai plugin that only works with 0.x versions of Chai, you'll get an error. Nice!'~1.0'
or '1.x'
to express this. If you depend onfeatures introduced in 1.5.2, use '>= 1.5.2 < 2'
.package.json
job to describe the project. package.json
as stamped labels on those npm good boxes that our army of Wombats delivers around.package.json
will be generated when npm init
is run to initialise a JavaScript/Node.js project, with these basic metadata provided by developers:name
: the name of your JavaScript library/projectversion
: the version of your project. Often times, for application development, this field is often neglected as there's no apparent need for versioning opensource libraies. But still, it can come handy as a source of the deployment's version.description
: the project's descriptionlicense
: the project's licensepackage.json
also supports a scripts
Alternate start skyrim not working. property that can be defined to run command-line tools that are installed in the project's local context. For example, the scripts
portion of an npm project can look something like this:eslint
, prettier
, ncc
, jest
not necessarily installed as global executables but rather as local to your project inside node_modules/.bin/
.node_modules
project-scoped commands just like a globally installed program by prefixing npx ..
(i.e. npx prettier --write **/*.ts
).npm install
command with --save
and --save-dev
flags. They're meant to be used for production and development/test environments respectively. We will drill deeper into the installation of these packages in the next section. major.minor.patch
model of semver):^
: latest minor release. For example, a ^1.0.4
specification might install version 1.3.0
if that's the latest minor version in the 1
major series.~
: latest patch release. In the same way as ^
for minor releases, ~1.0.4
specification might install version 1.0.7
if that's the latest minor version in the 1.0
minor series.package-lock.json
file.package.json
is a generic descriptive label, package-lock.json
is an ingredient table. package-lock.json
is not meant to be read line-by-line by developers (unless we're desperate to resolve 'works in my machine' issues). package-lock.json
is usually generated by the npm install
command, and is also read by our NPM CLI tool to ensure reproduction of build environments for the project with npm ci
.npm install <package-name>
will install the latest version of a package with the ^
version sign. An npm install
within the context of an npm project will download packages into the project's node_modules
folder according to package.json
specifications, upgrading the package version (and in turn regenerating package-lock.json
) wherever it can based on ^
and ~
version matching. -g
if you want to install a package in the global context which you can use anywhere across your machine (this is common for command-line tooling packages like live-server). --production
flag comes to the rescue! In the previous section, we discussed dependencies
and devDependencies
meant for usage in production and development/test environment respectively. This --production
flag is how the differences in node_modules
are made. npm install
command, we will only install packages from dependencies
, thus drastically reducing the size of our node_modules
to whatever is absolutely necessary for our applications to be up and running. devDependencies
to production!npm install --production
is optimal for a production environment, must there be a command that's optimal for my local development, testing setup? npm ci
. package-lock.json
doesn't already exist in the project it's generated whenever npm install
is called, npm ci
consumes this file to download the exact version of each individual package that the project depends on. npm audit
. They maintain a list of security loopholes that developers can audit their dependencies against using the npm audit
command. npm audit
gives developers information about the vulnerabilities and whether there're versions with remediations to upgrade to. For example,npm audit fix
can be used to upgrade the affected dependencies' versions automatically.npm publish
. The tricky part, which is not specific to npm package authors, is determining the version of the package.^
(aka the next minor version).