Simple email application for Android. Original source code: https://framagit.org/dystopia-project/simple-email
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

276 lines
9.5 KiB

  1. # package-lock and npm-shrinkwrap
  2. `npm` can have one of two different lock files:
  3. * `package-lock.json`, which is ordinarily always present and is never published.
  4. * `npm-shrinkwrap.json`, which is created with `npm shrinkwrap` and usually published.
  5. You can only have one of them and in the event that you have both,
  6. `npm-shrinkwrap.json` takes precedence. The files are exactly the same
  7. format and in fact all the `npm shrinkwrap` command does is rename your
  8. `package-lock.json`.
  9. Through the rest of this document we will refer to the package-lock and
  10. `package-lock.json` but everything also applies to `npm-shrinkwrap.json`.
  11. ## File Format
  12. ### name
  13. The name of the package this is a package-lock for. This must match what's in `package.json`.
  14. ### version
  15. The version of the package this is a package-lock for. This must match what's in `package.json`.
  16. ### lockfileVersion *(new)*
  17. An integer version, starting at `1` with the version number of this document
  18. whose semantics were used when generating this `package-lock.json`.
  19. ### preserveSymlinks *(new)*
  20. Indicates that the install was done with the environment variable
  21. `NODE_PRESERVE_SYMLINKS` enabled. The installer should insist that the value of this
  22. property match that environment variable.
  23. ### dependencies
  24. These are the modules installed in the `node_modules`. Some of these are
  25. dependencies some of these are transitive dependencies (that is,
  26. dependencies of our dependencies).
  27. This is a mapping of package name to dependency object. Dependency objects have the
  28. following properties:
  29. #### version *(changed)*
  30. This is a specifier that uniquely identifies this package and should be
  31. usable in fetching a new copy of it.
  32. * bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes.
  33. * registry sources: This is a version number. (eg, `1.2.3`)
  34. * git sources: This is a git specifier with resolved committish. (eg, `git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e`)
  35. * http tarball sources: This is the URL of the tarball. (eg, `https://example.com/example-1.3.0.tgz`)
  36. * local tarball sources: This is the file URL of the tarball. (eg `file:///opt/storage/example-1.3.0.tgz`)
  37. * local link sources: This is the file URL of the link. (eg `file:libs/our-module`)
  38. #### integrity *(new)*
  39. This is a [Standard Subresource
  40. Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) for
  41. this resource.
  42. * For bundled dependencies this is not included, regardless of source.
  43. * For registry sources, this is the `integrity` that the registry provided, or if one wasn't provided the SHA1 in `shasum`.
  44. * For git sources this is the specific commit hash we cloned from.
  45. * For remote tarball sources this is an integrity based on a SHA512 of
  46. the file.
  47. * For local tarball sources: This is an integrity field based on the SHA512 of the file.
  48. #### resolved
  49. * For bundled dependencies this is not included, regardless of source.
  50. * For registry sources this is path of the tarball relative to the registry
  51. URL. If the tarball URL isn't on the same server as the registry URL then
  52. this is a complete URL.
  53. #### link *(new)*
  54. If this module was symlinked in development but had semver in the
  55. `package.json` then this is the relative path of that link.
  56. Discussion of the semantics of this will go in the symlinks RFC.
  57. Implementation note: To be implemented post npm@5.
  58. #### bundled *(new)*
  59. If true, this is the bundled dependency and will be installed by the parent
  60. module. When installing, this module will be extracted from the parent
  61. module during the extract phase, not installed as a separate dependency.
  62. #### dev
  63. If true then this dependency is either a development dependency ONLY of the
  64. top level module or a transitive dependency of one. This is false for
  65. dependencies that are both a development dependency of the top level and a
  66. transitive dependency of a non-development dependency of the top level.
  67. #### optional
  68. If true then this dependency is either an optional dependency ONLY of the
  69. top level module or a transitive dependency of one. This is false for
  70. dependencies that are both an optional dependency of the top level and a
  71. transitive dependency of a non-optional dependency of the top level.
  72. All optional dependencies should be included even if they're uninstallable
  73. on the current platform.
  74. #### from
  75. This is a record of what specifier was used to originally install this
  76. package. This should be used only for git dependencies.
  77. #### requires
  78. This is a mapping of module name to version. This is a list of everything
  79. this module requires, regardless of where it will be installed. The version
  80. should match via normal matching rules a dependency either in our
  81. `dependencies` or in a level higher than us.
  82. #### dependencies
  83. Exactly like `dependencies` at the top level, this is a list of modules to
  84. install in the `node_modules` of this module.
  85. ## Generating
  86. ### `npm init`
  87. If neither a `package-lock.json` nor an `npm-shrinkwrap.json` exist then
  88. `npm init` will create a `package-lock.json`. This is functionally
  89. equivalent to running `npm shrinkwrap` after the current init completes and
  90. renaming the result to `package-lock.json`.
  91. ### `npm install --save`
  92. If either an `npm-shrinkwrap.json` or a `package-lock.json` exists then it
  93. will be updated.
  94. If neither exist then a `package-lock.json` should be generated.
  95. If a `package.json` does not exist, it should be generated. The generated
  96. `package.json` should be empty, as in:
  97. ```
  98. {
  99. "dependencies": {
  100. }
  101. }
  102. ```
  103. If the user wants to get a default package name/version added they can run `npm init`.
  104. ### `npm shrinkwrap`
  105. If a `package-lock.json` exists, rename it to `npm-shrinkwrap.json`.
  106. Refresh the data from the installer's ideal tree.
  107. The top level `name` and `version` come from the `package.json`. It is an
  108. error if either are missing or invalid.
  109. #### dependencies.dev
  110. This is `true` if this dependency is ONLY installed to fulfill either a top
  111. level development dependency, or one of its transitive dependencies.
  112. Given:
  113. ```
  114. B (Dev) → C
  115. ```
  116. Then both B and C would be `dev: true`.
  117. Given:
  118. ```
  119. A → B → C
  120. B (Dev) -> C
  121. ```
  122. Then all dependencies would be `dev: false`.
  123. #### dependencies.optional
  124. This is `true` if this dependency is ONLY ever either an optional dependency
  125. or a transitive dependency of optional dependencies.
  126. Given:
  127. ```
  128. A (Opt) → B → C
  129. ```
  130. Then all three of A, B and C would be flagged as optional.
  131. Given:
  132. ```
  133. A (Opt) → B → C
  134. D → C
  135. ```
  136. Then A and B would be flagged as optional, but C would not be.
  137. Given:
  138. ```
  139. A (Opt) → B → C
  140. D → A
  141. ```
  142. Then none would be flagged as optional.
  143. ## Installing
  144. If the `packageIntegrity` in the `package-lock.json` differs from the one
  145. computed from the `package.json` then places where the `package.json` is
  146. incompatible with the `package-lock.json` a new module should be installed.
  147. That is, while the `package-lock.json` ordinarily defines the state of your
  148. project, if your `package.json` is edited independently it will take
  149. precedence.
  150. The `package-lock.json` describes the exact tree that `npm` should create.
  151. Any deviation between the `package.json` and the shrinkwrap/lock should
  152. result in a warning be issued. This includes:
  153. * Modules in `package.json` but missing from the `package-lock.json`
  154. * Modules in the `package-lock.json` but missing from the `package.json`.
  155. * Modules in `package.json` whose specifiers don't match the version in `package-lock.json`.
  156. Warn if the `lockfileVersion` in the `package-lock.json` is for a different
  157. major version than we implement.
  158. Module resolution from package-lock data works as such:
  159. * If install was run with `--resolve-links` and a dependency has a `link`
  160. property then a symlink is made using that. If the version of the
  161. destination can not be matched to the package-lock and/or the package.json
  162. then a warning will be issued.
  163. * Otherwise, if a `integrity` is available then we try to install it from the cache using it.
  164. If `integrity` is unavailable or we are unable to locate a module from the `integrity` then:
  165. * If `lockfileVersion` is set:
  166. * Install using the value of `version` and validate the result against the
  167. `integrity`.
  168. * Otherwise, try these in turn and validate the result against the `integrity`:
  169. * `resolved`, then `from`, then `version.
  170. * `from` can be either `package@specifier` or just `specifier`.
  171. Regardless of how the module is installed the metadata in the installed
  172. module should be identical to what it would have been if the module were
  173. installed w/o a package-lock.
  174. ## Implied Changes To Other Commands
  175. ### `npm rm --save`
  176. Currently if you ask to remove a package that's both a direct and a
  177. transitive dependency, we'll remove the package from `node_modules` even if
  178. this results in a broken tree. This was chosen at the time because we felt
  179. that users would expect `npm rm pkgname` to be equivalent of
  180. `rm -rf node_modules/pkgname`.
  181. As you are no longer going to be allowed to put your `node_modules` in a
  182. state that's not a valid package-lock, this means this behavior is no longer
  183. valid. Instead we should follow normal rules, removing it from the
  184. dependencies for the top level but only removing the module on disk if
  185. nothing requires it any more.
  186. ## Additional fields / Adding new fields
  187. Installers should ignore any field they aren't aware of. It's not an error
  188. to have additional properties in the package-lock or lock file.
  189. Installers that want to add new fields should either have one added via RFC
  190. in the npm issue tracker and an accompanying documentation PR, or should prefix
  191. it with the name of their project.