Assume I have legacy codebase working with some old packages:
"mobx": "5.15.4",
"mobx-react": "6.1.8",
While developing some new experimental feature, I wanna use newer versions of these packages, but also have to leave legacy in a working state. So, I'm aliasing newer versions of packages so I can use them alongside with the old ones:
"#new/mobx": "npm:mobx#^6.3.13"
"#new/mobx-react": "npm:mobx-react#^7.2.1"
But mobx-react using mobx as a peer dependency. Obviously, the problem is that #new/mobx-react is watching old mobx version and expectedly says that there should be mobx of version 6+.
Is there any way to manually resolve peer dependency of #new/mobx-react, so it will watch #new/mobx and not just mobx? Or, maybe there is a way to implicitly install peer deps for #new/mobx-react in a way it will not override old mobx version?
You can easily do that
set NODE_ENV=development
npm install mobx#5.15.4 --save
npm install mobx-react#6.1.8 --save
npm install #new/mobx#npm:mobx#^6.3.13 --save
npm install #new/mobx-react#npm:mobx-react#^7.2.1 --save
then you must manually install dependencies for your #new/mobx-react like as follows:
cd ./node_modules/#new/mobx-react
npm install --ignore-scripts
that will lead to mobx of version 6.3.14 be in node_modules of your #new/mobx-react
node.js (starting from npm version 3) at first tries to load dependency from internal node_modules of package, then from node_modules of project see : documentation
Related
Note: Do guide me if something is missing.
So, I wanted to install a package from https://rnfirebase.io/auth/usage, but I have an npm project. The command on the website has only for yarn. I don't want to add yarn to project because (Is there any harm in using NPM and Yarn in the same project?) it states that it is not recommended.
So, then how do I install it with npm?
You have to use yarn, or you can look for a package that has the functions that you are looking for using npm
You can install it with npm just fine, don't worry. They are all package managers installing npm packages from the same repository. There is no difference in what you are installing or how they are installed. You can get different node_module structures, but for yarn you need config for that.
Yes its not recommended because it generates different lockfiles that will dictate different structures and versions in your node_modules folder. You want multiples devs to have the same "experience". However, lots of JS frameworks will come pre-configured with yarn, like React Native and you just end up having two lockfiles. One for npm and one for yarn. There is no harm in deleting the yarn file and keeping the package-lock. If you delete both, a new lockfile for the package manager you are using will be generated on npm i | yarn i | pnpm anyway.
To install it with npm just use npm i <PACKAGE_NAME> so npm i #react-native-firebase/app.
Here is the npm repo page for that package, https://www.npmjs.com/package/#react-native-firebase/app, notice the install command is npm! Only reason firebase devs only mention yarn is because they are hipsters ;)
When I run
npm audit
It tells me I have a critical vulnerability in lodash. When I run
npm ls lodash
I have 47 instances of lodash being deduped.
How can I tell which of my dependencies are holding on to the vulnerable version?
If you temporarily add the vulnerable package at the patched version:
"lodash": ">=4.17.21",
to your package.json and then run npm update <VULNERABLE_PACKAGE> for the vulnerable package. NPM will update all the child dependencies it can.
You can then run npm outdated --depth=5 <VULNERABLE_PACKAGE> and it will show which dependencies are forcing an earlier version.
I have a question regarding the package manager npm and the meaning of installing the package globally.
For example I work often with react, should I install react globally?
npm install -g react react-dom
Does this mean that next time when I do
npx creat-react-app my-app
It will get the package from the global or it does not matter and it will still download it locally inside my-app?
Because I really do not understand the idea behind installing globally.
Because if I want to use a package it should be mentioned in package.json, if it is in package.json it is then located in node_module ... so yeah ...
Could anyone give me better insight?
Thanks in advance
React library can be installed globally on your local machine. In development there is no real reason to do that since you might not have the latest version and this might cause issues.
Better practise is to use react on project level by using the command you stated above npx create-react-app my-app
If you push code to a server the package.json file will install the dependencies (React, React DOM,..) to build your project.
Read more here : https://create-react-app.dev/docs/getting-started/
If you've previously installed create-react-app globally via npm
install -g create-react-app, we recommend you uninstall the package
using npm uninstall -g create-react-app or yarn global remove
create-react-app to ensure that npx always uses the latest version.
You can check what packages are installed globally using:
npm list -g --depth 0
I am new to npm and angular projects, and I am using bootstrap#4.1.1 in my package.json. When I do npm install, I get the following error -
bootstrap#4.1.1 requires a peer of jquery#1.9.1 - 3 but none is installed. You must install peer dependencies yourself.
Does this mean that I need to add jquery#1.9.1 - 3 to my package.json under peerDependencies section, apart from installing it locally with no-save option?
Also, do we need to install this missing peer dependency on the build server as well? Or can it be ignored?
Simply install the dependency yourself:
npm install jquery#1.9.1 --save
Although --save is optional I recommend to put it, so the next time you simply can type only npm install and both bootstrap and jquery will be installed. You can read about peer dependencies on npm documentation.
You should read the terminal whether all important dependencies have been installed. If it hasn't install those manually.
npm install <MISSING DEPENDANCY> --save
In your case
npm install jquery#1.9.1 --save
In addition to the given answers:
If npm warns you about a missing dependency with a version range like 1.9.1 - 3 then you should definitely use that range to manually install the dependency – and not only its lower boundary. Use quotes for the range to work as a parameter in the install command. Both of the following examples will work:
npm install jquery#"1.9.1 - 3"
npm install "jquery#1.9.1 - 3"
Also the parameter --save can be omitted as of npm v5.0. This is the default now when you install.
I was using the react-native package which I installed globally with npm. Now it says at the first line after executing the init command. The following:
Installing react-native from npm...
Consider installing yarn to make this faster: https://yarnpkg.com
So I was checking that website and it looked interesting to me, but I don't exactly know what it would be. At first, I thought that I would need brew to install yarn, so I could yarn to install npm. But now I think that yarn is a replacement of npm. Is that a correct statement?
Why would I like to have so many package managers?
I understand that it's useful for software like Atom or Visual Studio Code to have their own package manager. But for development, I do not see the reason why someone would like to use four different package managers (brew for 'primary software', yarn for npm packages, npm for backend modules and bower for front-end libraries). How can this package manager forest be untangled?
I am not familiar with brew, but I suppose you mean the Homebrew software package management system for macOS.
Then the purpose of each system is:
brew: installation of software, i.e. ready to consume applications like wget.
npm: installation of packages (libraries), i.e. pieces of functionality to help you build your own applications.
yarn: also installation of packages.
Yarn has some advantages over npm, the main two are the speed and the predictability. Yarn reuses the npm's package.json file and doesn't change its structure. Therefore you can run yarn install instead of npm install and theoretically everything will work automatically.
P.S. I agree, https://yarnpkg.com doesn't have enough background on why the hell we need another package management system, but there is a great article which fills that gap.
yarn vs npm
yarn and npm are both manage module installations and dependencies. Yarn was built to address some of the shortcomings of npm.
The biggest advantages of yarn over npm are
Installing packages with yarn is parallelized and so package installation is faster.
package.json can be very loose in terms of version numbers. yarn.lock (similar to npm shirkwrap) locks this down so that two machines with the same package.json always install the exact same packages.
yarn allows you to check why some packages are installed (understand the dependency tree)
Ref: https://www.sitepoint.com/yarn-vs-npm/
Yarn is a JavaScript package manager built by Facebook, Google, Exponent, and Tilde. It is created to remove or overcome the features that lack in npm. In comparison with npm it has
Enhanced Security
Offline mode
Parallel Installation - Therefore, faster installation
Another major difference was the yarn.lock file, but after npm ^5.x.x they provide the package-lock.json file too.
And the commands of yarn works like npm:
# Starting a new project
npm init === yarn init
# Installing all the dependencies of the project
npm install === yarn or yarn install
# Adding a dependency
npm install [package] === yarn add [package] # The package is saved to your package.json immediately.
npm install [package]#[version] === yarn add [package]#[version]
npm install [package]#[tag] === yarn add [package]#[tag]
# Add a dev dependency
npm install [package] --save-dev === yarn add [package] --dev
# Upgrading a dependency
npm update [package] === yarn upgrade [package]
npm update [package]#[version] === yarn upgrade [package]#[version]
npm update [package]#[tag] === yarn upgrade [package]#[tag]
# Removing a dependency
npm uninstall [package] === yarn remove [package]
# View registry information
npm view [package] === yarn info [package]
# List installed packages
npm list === yarn list
npm list --depth === yarn list --depth=0
# Install packages globally
npm install -g [package] === yarn global addb [package]
# Run a defined package script
npm run [script] === yarn run [script]
Refferences
https://www.sitepoint.com/yarn-vs-npm/
https://scotch.io/#brian_kimo/npm-vs-yarn
and the official announcement
https://code.facebook.com/posts/1840075619545360
Yarn is, like NPM, a package manager for Node.JS.
Yarn is built by Facebook.
It's faster and has more features than NPM.
Their main selling points are:
Security With yarn.lock file (similar to NPM's npm-shrinkwrap.json)
all dependencies are locked on the exact version. So, you don't have that “But it works on my machine” struggles anymore. Everyone has the
same versions locked in yarn.lock file
Speed Yarn uses (fast) proxies and (offline) caching to deliver your
modules faster. It also has a LICENSE checker, which checks the
license of all your dependency modules.