In my NodeJS projects I use of course some external modules, those modules relies on other packages. Some of the developer maintaining those modules are very slow at updating the modules they use in their own project. Even when the issue is regarding security.
Is it possible to bump up a NPM modules within a modules?
You can change the package.json file within those npm packages you wish to update the dependencies for, but really this isn't an ideal solution. Any time an npm install is performed you'll lose those changes. Best to, if possible, fork the Git repos for those packages and make the changes yourself.
Related
As title indicates, I'm working on a project where different members have used different tools (NPM and Yarn) for handling packages and modules etc.
We aim to transition to use ONLY Yarn (not our decision). Would anyone be able to share resources detailing how to accomplish such a thing? Or help quickly walk me through the steps?
I tried googling for answers but every single result is yet another article explaining why you should ditch NPM/Yarn and move your project to Yarn/NPM, without explaining the steps one would need to take to move from using both to just one mid-project. Thanks!
It looks like Yarn has a page talking about how to migrate to it from NPM:
https://yarnpkg.com/lang/en/docs/migrating-from-npm/
In most cases, running yarn or yarn add for the first time will just work. In some cases, the information in a package.json file is not explicit enough to eliminate dependencies, and the deterministic way that Yarn chooses dependencies will run into dependency conflicts. This is especially likely to happen in larger projects where sometimes npm install does not work and developers are frequently removing node_modules and rebuilding from scratch. If this happens, try using npm to make the versions of dependencies more explicit, before converting to Yarn.
As of Yarn 1.7.0, you can import your package-lock.json state, generated by npm to Yarn, by using yarn import.
They use many of the same files and structures. The important thing is to check-in the yarn.lock file and make sure everyone is installing using Yarn instead of NPM.
If you have a build server, you could probably use it to enforce those dependencies, but it would be more work.
I maintain a starter kit that bundles a Yarn yarn.lock file.
Now that NPM v5 is released and recommends committing its own package-lock.json, I'd like to include both.
Is it possible to generate both files without actually installing anything, solely for the purpose of committing the locks?
Note: The reason for including both is that, as a starter kit, the end-user may choose to use Yarn or NPM. I have no control over their environment, so I'd like to support both out-the-box.
Lets say I am working on a library that will be consumed by other developers. MyPackage has a dependency on moment. The developer that consumes my package also has a dependency on moment. So moment will exist as a "dependency" in both library package.json and application package.json (and thus get packaged twice). Is there a way to package it just once? If the consumer has it, use theirs, else use mine?
It's already happening by default on fresh installs if dependency ranges match.
npm v>=3 does gang the dependencies, depending on the installation order and depth, see here.
Also, if you kept working on the same folder for a while, there might be some cruft, which could be wiped using npm dedupe, see here.
In theory, moment should not be duplicated if both your library and developer's library are consuming the same version ranges of it. At least if npm dedupe is called or node_modules are wiped and npm i-nstalled.
So here is the problem
I installed systemjs from the online npm repo to a new empty project which was fine. I then republished this to an internal nexus repository which appeared to work.
However when I tried to install the systemjs repository from our nexus directory, the 'when.js' package was installed within the same node_module level as the systemjs package i.e. myproject->node_modules->when ? Not within myproject->node_modules->systemjs->node_modules->when ?
Can you tell me what I need to do to ensure that the systemjs dependancies are installed within myproject->node_modules->systemjs->node_modules->XXX and NOT myproject->node_modules->XXX ?
Since npm v3 the dependency tree is kept as flat as possible to avoid duplication and overly deep directory structures. That results in placing the dependencies at the same level as the module that required them, unless there already exists another version of the dependency in which case it is installed nested. See the npm documentation for details.
In most cases you shouldn't have to worry about the structure of your node_modules directory. If you absolutely need to have all the dependencies nested, the only way currently seems to be downgrading npm to v2.
Can someone explain to me the difference between NPM, Bower and Composer.
They are all package managers - correct?
But when should each one be used?
Also, each one appears to have a json file that accompanies it, does this store all the packages you require so they can be installed by cmd line? Why do you need this file?
[update, four years later]
bower is deprecated, and should not be used anymore for new projects. To a large extent, it has been subsumed into node dependency management (from their website: "While Bower is maintained, we recommend using Yarn and Webpack or Parcel for front-end projects").
yarn came out of the wood as a better npm (fixing several of npm flaws), and this is really what you should use now, as it is the new de-facto standard if you are doing front-end or node development. It does consume the same package.json as npm, and is almost entirely compatible with it.
I wouldn't use composer at this point (because I wouldn't use php), although it seems to still be alive and popular
[original answer]
npm is nodejs package manager. It therefore targets nodejs environments, which usually means server-side nodejs projects or command-line projects (bower itself is a npm package). If you are going to do anything with nodejs, then you are going to use npm.
bower is a package manager that aims at (front-end) web projects. You need npm and nodejs to install bower and to execute it, though bower packages are not meant specifically for nodejs, but rather for the "browser" environment.
composer is a dependency manager that targets php projects. If you are doing something with symfony (or plain old php), this is likely the way to go
Summing it up:
doing node? you do npm
doing php? try composer
front-end javascript? try bower
And yes, the "json" files describe basic package information and dependencies. And yes, they are needed.
Now, what about the READMEs? :-)
https://github.com/bower/bower
https://www.npmjs.org/doc/cli/npm.html
https://getcomposer.org/doc/00-intro.md