Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the point of having resolved URL in package-lock.json?

whenever I generate a package-lock file, there is also "resolved" block that looks like this:

"resolved": "http://devel.npm.registry:4873/lodash/-/lodash-4.17.5.tgz" 

What is the point of this URL? Later, if I try to install dependencies based on this package-lock, do I need to use the same npm registry? Because we use a different npm registry for local development and for production builds. Thus when I develop, I use devel.npm.registry, but the CI tool uses production.npm.registry. According to my tests, the URL doesn't matter (I tried [email protected]). But it is current implementation that's gonna change soon or is the URL intentionally ignored? I have the feeling that some of the previous versions of npm actually checked the resolved URLs.

The documentation isn't much helpful in this case.

like image 906
Lukáš Havrlant Avatar asked Dec 17 '18 12:12

Lukáš Havrlant


People also ask

Why should you check in package lock json?

The goal of package-lock. json file is to keep track of the exact version of every package that is installed so that a product is 100% reproducible in the same way even if packages are updated by their maintainers. This solves a very specific problem that package. json left unsolved.

Should package lock json be edited?

json file is present, npm install will install the exact versions specified. The package-lock. json is not meant to be human-readable, and it's not meant to be edited manually.


1 Answers

I found some articles on the web regarding this question. Follow the links:

npm uses a JSON as a format for the lock file. The good news is since [email protected] ignores the resolved field on package-lock.json file and basically fallback to the one defined in the .npmrc or via --registry argument using the CLI in case is exist, otherwise, it will use the defined in the resolved field.

https://medium.com/verdaccio/verdaccio-and-deterministic-lock-files-5339d82d611e


Another day, another tweet about #npm5 goodies.

npm is now agnostic about which registry you used to generate the package-lock.json.

https://twitter.com/maybekatz/status/862834964932435969


The purpose of resolved in package-lock.json is to bypass the dependency resolution step (fetching metadata) when you are missing packages. integrity is to verify that you're getting the same thing. Without the resolved field, uncached installations can break due to metadata changes, and they'll also be significantly slower because we have to do a full metadata fetch before we can actually download anything.

Note that package-lock.json does not allow different packages to be fetched from different registries. Even if you have a package lock with different packages using different resolved fields, all of the packages will always be fetched from whatever your current registry= setting is, in npmrc. resolved fields that do not match the configured registry will go through the (slower) metadata fetching I mentioned above, but will still be fetched only from the current registry.

https://github.com/npm/npm/issues/16849#issuecomment-312442508

like image 127
Lukáš Havrlant Avatar answered Oct 13 '22 19:10

Lukáš Havrlant