Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
npm or yarn, that is a problem.
Search
Yosuke Furukawa
PRO
August 26, 2018
Programming
18
2.2k
npm or yarn, that is a problem.
LL.pm で発表した npm と yarn の話です。
Yosuke Furukawa
PRO
August 26, 2018
Tweet
Share
More Decks by Yosuke Furukawa
See All by Yosuke Furukawa
Welcome JSConf.jp 2024
yosuke_furukawa
PRO
1
3.3k
tc39 x jsconf.jp Panel Discussion 2024
yosuke_furukawa
PRO
0
170
Removing Corepack
yosuke_furukawa
PRO
9
1.3k
JavaScript Runtime とはなにか
yosuke_furukawa
PRO
15
2.5k
Strip Types と Storage
yosuke_furukawa
PRO
4
350
Module Harmony について
yosuke_furukawa
PRO
3
1.6k
LTのやり方
yosuke_furukawa
PRO
16
2.2k
AppRouter Panel Talk
yosuke_furukawa
PRO
3
720
Node.js v22 で変わること
yosuke_furukawa
PRO
13
5.5k
Other Decks in Programming
See All in Programming
Scalaから始めるOpenFeature入門 / Scalaわいわい勉強会 #4
arthur1
1
340
Recoilを剥がしている話
kirik
5
6.8k
快速入門可觀測性
blueswen
0
380
PHPで作るWebSocketサーバー ~リアクティブなアプリケーションを知るために~ / WebSocket Server in PHP - To know reactive applications
seike460
PRO
2
530
tidymodelsによるtidyな生存時間解析 / Japan.R2024
dropout009
1
790
PHPとAPI Platformで作る本格的なWeb APIアプリケーション(入門編) / phpcon 2024 Intro to API Platform
ttskch
0
270
Go の GC の不得意な部分を克服したい
taiyow
3
800
Jakarta EE meets AI
ivargrimstad
0
260
CSC305 Lecture 26
javiergs
PRO
0
140
創造的活動から切り拓く新たなキャリア 好きから始めてみる夜勤オペレーターからSREへの転身
yjszk
1
130
create_tableをしただけなのに〜囚われのuuid編〜
daisukeshinoku
0
270
フロントエンドのディレクトリ構成どうしてる? Feature-Sliced Design 導入体験談
osakatechlab
8
4.1k
Featured
See All Featured
A designer walks into a library…
pauljervisheath
205
24k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
2
290
Fireside Chat
paigeccino
34
3.1k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
0
99
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Raft: Consensus for Rubyists
vanstee
137
6.7k
4 Signs Your Business is Dying
shpigford
181
21k
A Philosophy of Restraint
colly
203
16k
Designing for humans not robots
tammielis
250
25k
Code Reviewing Like a Champion
maltzj
520
39k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
32
2.7k
Transcript
npm or yarn , that is a problem. 2018/08/26 @
LL.pm
Twitter: @yosuke_furukawa Github: yosuke-furukawa
None
FAQ
Q. npm ͱ yarn ͬͯͲͬͪ ͬͨΒ͍͍ΜͰ͔͢ʁ
A. ͍ɺͲ͍͍ͬͪͬͯ Μ͡Όͳ͍Ͱ͔͢ͶʢຊԻʣ ΈΜͳҧͬͯΈΜͳ͍͍
ͲͬͪύοέʔδΛཧ͢ ΔػೳͦΖͬͯΔɻ
ͨͩ·͊ͦΕ͚ͩݴͬͯಀ ͛ͳͷͰɺҰԠ໌֬ʹࠩผԽ ͞ΕͯΔ෦Λհ͢Δ
ύϑΥʔϚϯε
ܭଌͯ͠Έͨ (ͲͪΒcache͠ͳ͍ঢ়گ)
None
yarnͷউར
ܭଌͯ͠Έͨ (cacheΛ༗ޮʹͨ͋͠ͱͷ݁Ռ)
yarnͷউར
ͳΜͱͳ͘ମײͱ͋ͬͯΔɻ ZBSO͕͖ͳਓେମ1FSGPSNBODF ͕͍ͱ͍͏͜ͱͰͬͯΔ
npm ci
npm ci $*$%Ͱ͏ͨΊʹ༨ܭͳॲཧΛ͠ͳ͍ɺͨͩϥΠϒϥ ϦΛθϩ͔Βऔಘ͢Δ͜ͱʹಛԽͨ͠ػೳ
npm ci ͍
yarnͷ͕جຊతʹߴ npmͷ͕͍͕ɺCIͰ yarnΑΓߴ
yarn։ൃ༻్ʹ͍͍ͯΔ npm։ൃɾӡ༻ͰͦΕͧΕ ίϚϯυΛ͚͍ͯΔ
ػೳ ʢجຊతʹ΄΅compatibleʣ
yarnʹ͋ͬͯnpmʹͳ͍ػೳ
yarn licenses list
ґଘϥΠϒϥϦͷϥΠηϯε͕ ҰཡͰ͖Δػೳ $ yarn licenses list yarn licenses v1.9.4 !"
(BSD-2-Clause OR MIT OR Apache-2.0) # $"
[email protected]
# !" URL: https://github.com/dominictarr/rc.git # !" VendorName: Dominic Tarr # $" VendorUrl: dominictarr.com !" (GPL-2.0 OR MIT) # $"
[email protected]
# !" URL: https://github.com/faisalman/ua-parser-js.git # !" VendorName: Faisal Salman # $" VendorUrl: http://github.com/faisalman/ua-parser-js !" (MIT AND BSD-3-Clause) # $"
[email protected]
# !" URL: git://github.com/crypto-browserify/sha.js.git # !" VendorName: Dominic Tarr # $" VendorUrl: https://github.com/crypto-browserify/sha.js
yarn upgrade-interactive
ґଘϥΠϒϥϦͷߋ৽Λରܕ γΣϧͰߦ͑Δػೳ
npmʹ͋ͬͯyarnʹͳ͍ػೳ
npm audit
ґଘϥΠϒϥϦͰ੬ऑੑ͕ใࠂ ͞Ε͍ͯͳ͍͔Λࠪ͢Δػೳ $ npm audit === npm audit security report
=== # Run npm install --save-dev
[email protected]
to resolve 14 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change %"""""""""""""""&""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""' # Low # Prototype Pollution # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Package # lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Dependency of # nyc [dev] # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Path # nyc > istanbul-lib-instrument > babel-generator > # # # babel-types > lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # More info # https://nodesecurity.io/advisories/577 # $"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+
࠷ۙηΩϡϦςΟ͕͍ʢ ͍ʣ
͔͠npm auditnpmಠࣗͷػೳͱͯ͠ ఏڙ͞ΕͯΔʢଞͷαʔϏεͰ͑ͳ͍ʣ
yarn։ൃπʔϧͱͯ͠༏ल npmӡ༻πʔϧͱͯ͠༏ल
᠘ ʢ͍ͬͯͯҾ͔͔ͬΔϙΠϯτʣ
yarn ͷ᠘
ॏෳϞδϡʔϧΛআ͢Δػ ೳ͕npmͱcompatibleͳಈ ͖Λ͠ͳ͍ɻ
yarn, npm ͱʹॏෳͨ͠Ϟδϡʔ ϧ͕͋ͬͨΒτοϓϨϕϧʹ࡞Δ // ͜͏͍͏ґଘ͕ؔ͋ͬͨΒ app (lib_Aͱlib_Bʹґଘ)/ node_modules/ lib_A(v1)
(lib_B(v1)ʹґଘ)/ lib_B(v1) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ lib_B(v2) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ // CΛҰͭʹͯ͠ɺ֊ߏΛઙ͘͢Δػೳ(dedupeͱݺΕΔ) app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_B(v2)/ lib_C(v1)/
yarnͷ߹جຊ͜ͷ dedupe͕ಈ͕͘ɺᘳ͡Ό ͳ͍ɻ https://github.com/yarnpkg/yarn/issues/6070
yarn dedupeෆશ // dedupe͕ෆશͩͱ͜͏ͳΔɻ app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_C(v1)/
lib_B(v2)/ lib_C(v1)/ ΄ͱΜͲͷέʔεͰʹͳΒͳ͍͕ɺ$#ͷٯ ࢀর͕͋Δͱ/(
࣮ࡍʹwebpackϞδϡʔϧ ͱͦͷґଘͰҰճNGʹͳͬ ͨɻ
npm ͷ᠘
npm install ͰຖճlockϑΝΠ ϧॻ͖͑ͯ͘Δ
package-lockϑΝΠϧॻ͖͑ Δ $ npm install $ git diff - package-lock.json
(!! npm install ͚ͨͩ͠ͳͷʹϩοΫϑΝΠϧ͕ॻ͖Θͬ ͯΔ !!)
όάͱͯ͠ೝࣝ͞ΕͯΔ͕ɺ ·ͩͬͯͳ͍ɻ
None
package-lockϑΝΠϧॻ͖͑ Δ // workaround $ npm install --nosave OR $
npm ci // npm install —nosave option Λ͚ͭΔͱͦͷλΠϛϯάͰpackage-lock࡞ Βͳ͍ɻ // npm ci package-lock.json͔Βμϯϩʔυ͢ΔҎ֎ͷҰΛ͠ͳ͍ɻ
yarnCLI͕ͩރΕͯͳ͍ npmlockͷ෦ʹ·ͩएׯ ͷই͕͋Δɻ
·ͱΊ • ੑೳ • yarn ͷ͕جຊతʹ͍ • npm ciߴ •
ػೳ • yarnͷ͕։ൃ໘Ͱخ͍͠ػೳ͕ଟ͍ • npmͷ͕ӡ༻໘ʢಛʹηΩϡϦςΟʣͰخ͍͠ػೳ͕ଟ͍ • ᠘ • yarn => deduce ͍ • npm => lockfileউखʹॻ͖͑ͪΌ͏
Q. npm ͱ yarn ͬͯͲͬͪ ͬͨΒ͍͍ΜͰ͔͢ʁ
(ੑೳతʹyarnͷ͕͍͠ɺ ศརίϚϯυ͋Δ͚Ͳɺ npmͷ͕ηΩϡΞͩ͠ɺރΕ ͯΔ͠͏ʔʔΜ…)
A. ͖ͳͷͬͨΒ͍͍Μ͡Ό ͳ͍Ͱ͔͢Ͷ (^^)