mirror of
https://github.com/titanscouting/tra-analysis.git
synced 2024-11-14 07:06:17 +00:00
143 lines
5.5 KiB
Markdown
143 lines
5.5 KiB
Markdown
|
package-lock.json(5) -- A manifestation of the manifest
|
||
|
=====================================================
|
||
|
|
||
|
## DESCRIPTION
|
||
|
|
||
|
`package-lock.json` is automatically generated for any operations where npm
|
||
|
modifies either the `node_modules` tree, or `package.json`. It describes the
|
||
|
exact tree that was generated, such that subsequent installs are able to
|
||
|
generate identical trees, regardless of intermediate dependency updates.
|
||
|
|
||
|
This file is intended to be committed into source repositories, and serves
|
||
|
various purposes:
|
||
|
|
||
|
* Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies.
|
||
|
|
||
|
* Provide a facility for users to "time-travel" to previous states of `node_modules` without having to commit the directory itself.
|
||
|
|
||
|
* To facilitate greater visibility of tree changes through readable source control diffs.
|
||
|
|
||
|
* And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages.
|
||
|
|
||
|
One key detail about `package-lock.json` is that it cannot be published, and it
|
||
|
will be ignored if found in any place other than the toplevel package. It shares
|
||
|
a format with npm-shrinkwrap.json(5), which is essentially the same file, but
|
||
|
allows publication. This is not recommended unless deploying a CLI tool or
|
||
|
otherwise using the publication process for producing production packages.
|
||
|
|
||
|
If both `package-lock.json` and `npm-shrinkwrap.json` are present in the root of
|
||
|
a package, `package-lock.json` will be completely ignored.
|
||
|
|
||
|
|
||
|
## FILE FORMAT
|
||
|
|
||
|
### name
|
||
|
|
||
|
The name of the package this is a package-lock for. This must match what's in
|
||
|
`package.json`.
|
||
|
|
||
|
### version
|
||
|
|
||
|
The version of the package this is a package-lock for. This must match what's in
|
||
|
`package.json`.
|
||
|
|
||
|
### lockfileVersion
|
||
|
|
||
|
An integer version, starting at `1` with the version number of this document
|
||
|
whose semantics were used when generating this `package-lock.json`.
|
||
|
|
||
|
### packageIntegrity
|
||
|
|
||
|
This is a [subresource
|
||
|
integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) value
|
||
|
created from the `package.json`. No preprocessing of the `package.json` should
|
||
|
be done. Subresource integrity strings can be produced by modules like
|
||
|
[`ssri`](https://www.npmjs.com/package/ssri).
|
||
|
|
||
|
### preserveSymlinks
|
||
|
|
||
|
Indicates that the install was done with the environment variable
|
||
|
`NODE_PRESERVE_SYMLINKS` enabled. The installer should insist that the value of
|
||
|
this property match that environment variable.
|
||
|
|
||
|
### dependencies
|
||
|
|
||
|
A mapping of package name to dependency object. Dependency objects have the
|
||
|
following properties:
|
||
|
|
||
|
#### version
|
||
|
|
||
|
This is a specifier that uniquely identifies this package and should be
|
||
|
usable in fetching a new copy of it.
|
||
|
|
||
|
* bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes.
|
||
|
* registry sources: This is a version number. (eg, `1.2.3`)
|
||
|
* git sources: This is a git specifier with resolved committish. (eg, `git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e`)
|
||
|
* http tarball sources: This is the URL of the tarball. (eg, `https://example.com/example-1.3.0.tgz`)
|
||
|
* local tarball sources: This is the file URL of the tarball. (eg `file:///opt/storage/example-1.3.0.tgz`)
|
||
|
* local link sources: This is the file URL of the link. (eg `file:libs/our-module`)
|
||
|
|
||
|
#### integrity
|
||
|
|
||
|
This is a [Standard Subresource
|
||
|
Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) for this
|
||
|
resource.
|
||
|
|
||
|
* For bundled dependencies this is not included, regardless of source.
|
||
|
* For registry sources, this is the `integrity` that the registry provided, or if one wasn't provided the SHA1 in `shasum`.
|
||
|
* For git sources this is the specific commit hash we cloned from.
|
||
|
* For remote tarball sources this is an integrity based on a SHA512 of
|
||
|
the file.
|
||
|
* For local tarball sources: This is an integrity field based on the SHA512 of the file.
|
||
|
|
||
|
#### resolved
|
||
|
|
||
|
* For bundled dependencies this is not included, regardless of source.
|
||
|
* For registry sources this is path of the tarball relative to the registry
|
||
|
URL. If the tarball URL isn't on the same server as the registry URL then
|
||
|
this is a complete URL.
|
||
|
|
||
|
#### bundled
|
||
|
|
||
|
If true, this is the bundled dependency and will be installed by the parent
|
||
|
module. When installing, this module will be extracted from the parent
|
||
|
module during the extract phase, not installed as a separate dependency.
|
||
|
|
||
|
#### dev
|
||
|
|
||
|
If true then this dependency is either a development dependency ONLY of the
|
||
|
top level module or a transitive dependency of one. This is false for
|
||
|
dependencies that are both a development dependency of the top level and a
|
||
|
transitive dependency of a non-development dependency of the top level.
|
||
|
|
||
|
#### optional
|
||
|
|
||
|
If true then this dependency is either an optional dependency ONLY of the
|
||
|
top level module or a transitive dependency of one. This is false for
|
||
|
dependencies that are both an optional dependency of the top level and a
|
||
|
transitive dependency of a non-optional dependency of the top level.
|
||
|
|
||
|
All optional dependencies should be included even if they're uninstallable
|
||
|
on the current platform.
|
||
|
|
||
|
|
||
|
#### requires
|
||
|
|
||
|
This is a mapping of module name to version. This is a list of everything
|
||
|
this module requires, regardless of where it will be installed. The version
|
||
|
should match via normal matching rules a dependency either in our
|
||
|
`dependencies` or in a level higher than us.
|
||
|
|
||
|
|
||
|
#### dependencies
|
||
|
|
||
|
The dependencies of this dependency, exactly as at the top level.
|
||
|
|
||
|
## SEE ALSO
|
||
|
|
||
|
* npm-shrinkwrap(1)
|
||
|
* npm-shrinkwrap.json(5)
|
||
|
* npm-package-locks(5)
|
||
|
* package.json(5)
|
||
|
* npm-install(1)
|