I just ran this command
npx tsc -v
and it said Version 4.5.5.
Then, I look in package.json and package-lock.json and they say typescript 4.4.4. When I look in node_modules/typescript/package.json, I see version 4.5.5. Why is npx not detecting this and throwing an error OR better yet, doing what java does and delete the old one and install the correct one.
Even better would be caching all downloaded versions outside the repo for projects to use but only using the version that my project uses so projects can share versions OR not share versions easily without wasting disk space like it is done now(the gradle/maven-java way).
Related
I am using node-sass 4.13.1 which wraps libsass 3.5.4.
Due to security reasons we need to update libsass to 3.6.0 without downgrading the node-sass version.
How can this be achieved. Specifying the libsass version in the package.json is not feasible since libsass is not a dependency but rather a wrapped library.
Is it possible to force the use of libsass 3.6.0 after all dependencies for the repo have been installed?
Does anybody know a better solution?
I am leaning towards looking into how i can edit the scripts part of the package.json file to run a pre-install script which will force the version. Is that a good idea?
Thanks
There are forked versions of node-sass that do have 3.6.x in them, as well as a branch within the main project repo. The problem is that you will have to build it yourself in order to use them.
https://github.com/ItsLeeOwen/node-sass/tree/libsass-2b8a17a
or
https://github.com/sass/node-sass/tree/libsass-3.6.1
for example.
There is a branch available in node-sass repository which uses LibSass v3.6.3 with node-sass v4.13.1
I also faced the same issue and after doing a lot of research, the below solution worked for me:
Try installing the branch of node-sass from the github repository by using the below command (the package is already built, so you don't have to build it explicitly)
npm install https://github.com/sass/node-sass.git#v5
As title indicates, I'm working on a project where different members have used different tools (NPM and Yarn) for handling packages and modules etc.
We aim to transition to use ONLY Yarn (not our decision). Would anyone be able to share resources detailing how to accomplish such a thing? Or help quickly walk me through the steps?
I tried googling for answers but every single result is yet another article explaining why you should ditch NPM/Yarn and move your project to Yarn/NPM, without explaining the steps one would need to take to move from using both to just one mid-project. Thanks!
It looks like Yarn has a page talking about how to migrate to it from NPM:
https://yarnpkg.com/lang/en/docs/migrating-from-npm/
In most cases, running yarn or yarn add for the first time will just work. In some cases, the information in a package.json file is not explicit enough to eliminate dependencies, and the deterministic way that Yarn chooses dependencies will run into dependency conflicts. This is especially likely to happen in larger projects where sometimes npm install does not work and developers are frequently removing node_modules and rebuilding from scratch. If this happens, try using npm to make the versions of dependencies more explicit, before converting to Yarn.
As of Yarn 1.7.0, you can import your package-lock.json state, generated by npm to Yarn, by using yarn import.
They use many of the same files and structures. The important thing is to check-in the yarn.lock file and make sure everyone is installing using Yarn instead of NPM.
If you have a build server, you could probably use it to enforce those dependencies, but it would be more work.
I'm working on 2 projects, one library project is the npm depencency of the others.
The library project is automatically published to local npm registry (nexus) by CI (Gitlab), so developers that are only working on 2nd project don't need to download library project (at least this is the welcomed solution).
However, after deleting node_modules/mylibrary and calling npm install, I've found out, that I've got... old version of the package. The library was correcly built and our nexus allows redeploy, and it works perfectly in Gitlab CI (the project gets always the actual version of library package) so it looks like something was cached locally somewhere else (not in project itself).
How to force npm to download the actual version of the package, purging local cache if necessary? Increasing the library version after each commit is not a viable solution (if it was, there would be never the concept of snapshots in maven).
When I update my deps with yarn upgrage-interactive, it does update in yarn.lock file (and node_module ofc), but package.json still without updates.
How can I update my package.json deps accordingly to latest upgrade packages, which in yarn.lock file?
And how is correct to make updates, so it will affect both yarn.lock n package.json files?
Here's a good tool to do that. Run it, then run yarn and all of your packages will be at their latest versions, updated in the package.json as well.
Be careful, though, as going through a process like this might break your app, especially if it's a major version update (or even a minor one), so the responsibility is still on you. If this concerns you, updating versions manually would be the best bet. If you're using VSCode, it gives intellisense for packages and package versions in package.json, which helps a lot.
After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file.
I can tell package-lock.json gives me an exact dependency tree as opposed to package.json.
From that info alone, it seems like package.json is redundant and not needed anymore.
Are both of them necessary for NPM to work?
Is it safe or possible to use only the package-lock.json file?
The docs on package-lock.json (doc1, doc2) doesn't mention anything about that.
Edit:
After some more thinking about it, I came to the conclusion that if someone wants to use your project with an older version of NPM (before 5.x) it would still install all of the dependencies, but with less accurate versions (patch versions)
Do you need both package-lock.json and package.json? No.
Do you need the package.json? Yes.
Can you have a project with only the package-lock.json? No.
The package.json is used for more than dependencies - like defining project properties, description, author & license information, scripts, etc. The package-lock.json is solely used to lock dependencies to a specific version number.
package-lock.json: records the exact version of each installed package which allows you to re-install them. Future installs will be able to build an identical dependency tree.
package.json: records the minimum version you app needs. If you update the versions of a particular package, the change is not going to be reflected here.
If your question is if lock file should be committed to your source control - it should. It will be ignored under certain circumstance.
I found it bloating pull requests and commit history, so if you see it change, do a separate commit for it.