For some reason I can't remove dependencies from my published npm package without changing the version.
When i first published it, package.json had some dependencies like:
"version": "1.0.0",
"author": {
"name": "me"
},
"dependencies": {
"#angular/common": "^4.2.0",
"#angular/core": "^4.2.0",
}
Later I removed the dependencies, changed the author and republished, what I get when I install the package is:
"version": "1.0.0",
"author": {
"name": "me-changed"
},
"dependencies": {
"#angular/common": "^4.2.0",
"#angular/core": "^4.2.0",
}
I'm using Nexus 2.14 as repository manager and NPM 3.10.
Is this a wanted feature? If not, what is causing it?
You can't change your package and publish it without updating the version. If you published one version it is fix and can't be changed afterwards.
Related
In order to understand difference between requires and dependencies in package-lock.json, I am checking the #angular/cli dependency object which looks as below.
Within #angular/cli the uuid package is listed with version 8.3.0 under both requires and dependencies fields.
"#angular/cli": {
"version": "10.1.7",
"resolved": "https://registry.npmjs.org/#angular/cli/-/cli-10.1.7.tgz",
"integrity": "sha512-0tbeHnPIzSV/z+KlZT7N2J1yMnwQi4xIxvbsANrLjoAxNssse84i9BDdMZYsPoV8wbzcDhFOtt5KmfTO0GIeYQ==",
"dev": true,
"requires": {
"#angular-devkit/architect": "0.1001.7",
"#angular-devkit/core": "10.1.7",
"#angular-devkit/schematics": "10.1.7",
"#schematics/angular": "10.1.7",
"#schematics/update": "0.1001.7",
"#yarnpkg/lockfile": "1.1.0",
"ansi-colors": "4.1.1",
"debug": "4.1.1",
"ini": "1.3.5",
"inquirer": "7.3.3",
"npm-package-arg": "8.0.1",
"npm-pick-manifest": "6.1.0",
"open": "7.2.0",
"pacote": "9.5.12",
"read-package-tree": "5.3.1",
"rimraf": "3.0.2",
"semver": "7.3.2",
"symbol-observable": "1.2.0",
"universal-analytics": "0.4.23",
"uuid": "8.3.0"
},
"dependencies": {
"ansi-colors": {
"version": "4.1.1",
"resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-4.1.1.tgz",
"integrity": "sha512-JoX0apGbHaUJBNl6yF+p6JAFYZ666/hhCGKN5t9QFjbJQKUU/g8MNbFDbvfrgKXvI1QpZplPOnwIo99lX/AAmA==",
"dev": true
},
"debug": {
"version": "4.1.1",
"resolved": "https://registry.npmjs.org/debug/-/debug-4.1.1.tgz",
"integrity": "sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==",
"dev": true,
"requires": {
"ms": "^2.1.1"
}
},
"uuid": {
"version": "8.3.0",
"resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.0.tgz",
"integrity": "sha512-fX6Z5o4m6XsXBdli9g7DtWgAx+osMsRRZFKma1mIUsLCz6vRvv+pz5VNbyu9UEDzpMWulZfvpgb/cmDXVulYFQ==",
"dev": true
}
}
I have gone through the stackoverflow post based upon which it makes sense to have uuid listed under requires and dependencies field if the version is different.
However, in this case uuid has same version 8.3.0 under requires and dependencies field. So, why it is required to be listed at both the places?
According to the relevant documentation, a dependencies entry is not only populated for a dependency with a different version than used elsewhere. It will also be populated if the dependency is not used anywhere else. At least, that's my interpretation. If I'm right about that, running npm ls uuid in your project should show that only one uuid entry.
It needs to be listed in both places because dependencies has much more information than requires and that information is needed by npm. The broader answer to "why", though, is "why not?" The package-lock.json file is for npm internal use. The format changed between npm version 6 and npm version 7. It will probably change again. They'll probably do whatever works best for the npm command-line tool. That may involve duplicating information.
I am using webdriverIO v6
I have Installed just these two packages: npm install #wdio/cli as well as webdriverio
my tests are ruining smoothly in my local.
Is this ok to push to code-repo in git, does this work in Jenkis or Azure devops?
or is is required to install the --save-dev too to work in CI tools?
{
"name": "test-package",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"wdio": "./node_modules/.bin/wdio wdio.conf.js"
},
"author": "",
"license": "ISC",
"devDependencies": {
"#wdio/allure-reporter": "^6.1.23",
"#wdio/cli": "^6.1.25",
"#wdio/local-runner": "^6.1.25",
"#wdio/mocha-framework": "^6.1.19",
"#wdio/spec-reporter": "^6.1.23",
"#wdio/sync": "^6.1.14",
"chromedriver": "^83.0.1",
"wdio-chromedriver-service": "^6.0.3",
"webdriverio": "^6.1.25"
},
"dependencies": {}
}
This is nothing specific to wdio. This is a question which has been discussed multiple times in nodejs context.
Many developers suggest not to include node_modules in the repo because of various reasons which are logical. Then there are reasons which might force you to do it. if you are doing it just to reduce the build time, be prepared for other implications. Below are links which might help you.
https://flaviocopes.com/should-commit-node-modules-git/
Should "node_modules" folder be included in the git repository
According to package-lock.json's documentation
It describes the exact tree that was generated, such that subsequent
installs are able to generate identical trees, regardless of
intermediate dependency updates.
I'm looking at a package-lock.json file which contains versions like:
"less": "^3.0.4",
"less-loader": "^4.1.0",
"license-webpack-plugin": "^1.3.1",
"lodash": "^4.17.4",
"memory-fs": "^0.4.1
in the requires block of one of the dependencies.
While the child dependencies of the main project are "locked down" in that there is no version ambiguity, these transitive dependencies are not. But how is npm "able to generate identical trees, regardless of intermediate dependency updates" if any of the dependencies in the tree are subject to interpretation?
According to this thread, in npm#6 there was a change to how the package-lock.json represents dependency versions internally in that it records the originally requested ranged dependency, yet still locks down a specific version.
Previously, the package-lock did not record what version was originally requested by a dependency, only which version it resolved it to at the time of its creation.
Here's example:
package-lock.json
// OLD npm format
// Notice that ajv.requires contains specific version for 'fast-json-stable-stringify'
// also notice that 'fast-json-stable-stringify' entry **mentions for the second time** specific version
{
...
"dependencies": {
...
"ajv": {
"version": "6.11.0",
"resolved": "https://registry.npmjs.org/ajv/-/ajv-6.11.0.tgz",
"integrity": "sha512-nCprB/0syFYy9fVYU1ox1l2KN8S9I+tziH8D4zdZuLT3N6RMlGSGt5FSTpAiHB/Whv8Qs1cWHma1aMKZyaHRKA==",
"dev": true,
"requires": {
"fast-deep-equal": "3.1.1",
"fast-json-stable-stringify": "2.1.0",
"json-schema-traverse": "0.4.1",
"uri-js": "4.2.2"
}
},
...
"fast-json-stable-stringify": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
"integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==",
"dev": true
},
...
}
...
}
And here's npm6 approach
// "new" npm format (as of npm#6)
// Notice that ajv.requires is not showing specific versions
// but instead shows same values as package.json contains
// However 'fast-json-stable-stringify' entry contains
// SPECIFIC version to have reproducible build
{
...
"dependencies": {
...
"ajv": {
"version": "6.11.0",
"resolved": "https://registry.npmjs.org/ajv/-/ajv-6.11.0.tgz",
"integrity": "sha512-nCprB/0syFYy9fVYU1ox1l2KN8S9I+tziH8D4zdZuLT3N6RMlGSGt5FSTpAiHB/Whv8Qs1cWHma1aMKZyaHRKA==",
"dev": true,
"requires": {
"fast-deep-equal": "^3.1.1",
"fast-json-stable-stringify": "^2.0.0",
"json-schema-traverse": "^0.4.1",
"uri-js": "^4.2.2"
}
},
...
"fast-json-stable-stringify": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
"integrity": "sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==",
"dev": true
},
...
}
...
}
I'm trying to learn react-native by creating an app using the expo development environment. I had a working app (little more than the code that shipped with expo) until installing redux. Currently I am getting the following error from the XDE:
Problem checking node_modules dependencies: Unexpected end of JSON input
and the following from the ios simulator:
undefined is not an object (evaluating 'ReactPropTypes.string')
Package.json:
{
"name": "myApp",
"version": "0.0.0",
"description": "Hello Expo!",
"author": null,
"main": "main.js",
"scripts": {
"test": "node node_modules/jest/bin/jest.js"
},
"jest": {
"preset": "jest-expo"
},
"dependencies": {
"#expo/ex-navigation": "~3.0.0",
"#expo/samples": "~1.0.3",
"babel-preset-react": "^6.24.1",
"expo": "17.0.0",
"react": "^16.0.0-alpha.12",
"react-native": "^0.45.1",
"react-redux": "^5.0.5",
"redux": "^3.6.0"
},
"devDependencies": {
"jest-expo": "~1.0.1"
}
}
I believe my node modules contain valid JSON. It should be noted that I'm using a more current version of react-native than expo. Is this an issue with the packages I have installed? Which files would be helpful in solving this?
Although I haven't been able to fix this particular error. This one and many others can be avoided by using yarn instead of npm when working with expo (I have no affiliation with either tool).
I believe this is due to a bug in the current release of npm 5. As mentioned in the other answer here, using npm 4 or yarn will resolve this problem.
In Visual Studio 2017, when I right click on Dependencies in the solution, I see Manage NuGet Packages but where is npm? Shouldn't there be a visual manager for npm like I use with NuGet all the time?
here you go.
On your project do a right click
Select Add New Item
Select the NPM Configuration File, this will add a Package.json to your project, it will look like this:
{
"version": "1.0.0",
"name": "asp.net",
"private": true,
"devDependencies": {
}
}
then you can type your dependencies like so:
{
"version": "1.0.0",
"name": "asp.net",
"private": true,
"devDependencies": {
"gulp": "3.9.1",
"gulp-bootlint": "0.8.1"
}
}
There is Package Installer
Is nothing official but its something