Slide 1

Slide 1 text

npm or yarn , that is a problem. 2018/08/26 @ LL.pm

Slide 2

Slide 2 text

Twitter: @yosuke_furukawa Github: yosuke-furukawa

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

FAQ

Slide 5

Slide 5 text

Q. npm ͱ yarn ͬͯͲͬͪ ࢖ͬͨΒ͍͍ΜͰ͔͢ʁ

Slide 6

Slide 6 text

A. ͍΍ɺͲͬͪ࢖ͬͯ΋͍͍ Μ͡Όͳ͍Ͱ͔͢ͶʢຊԻʣ ΈΜͳҧͬͯΈΜͳ͍͍

Slide 7

Slide 7 text

Ͳͬͪ΋ύοέʔδΛ؅ཧ͢ Δػೳ͸ͦΖͬͯΔɻ

Slide 8

Slide 8 text

ͨͩ·͊ͦΕ͚ͩݴͬͯ΋ಀ ͛ͳͷͰɺҰԠ໌֬ʹࠩผԽ ͞ΕͯΔ෦෼Λ঺հ͢Δ

Slide 9

Slide 9 text

ύϑΥʔϚϯε

Slide 10

Slide 10 text

ܭଌͯ͠Έͨ (ͲͪΒ΋cache͠ͳ͍ঢ়گ)

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

yarnͷউར

Slide 13

Slide 13 text

ܭଌͯ͠Έͨ (cacheΛ༗ޮʹͨ͋͠ͱͷ݁Ռ)

Slide 14

Slide 14 text

yarnͷউར

Slide 15

Slide 15 text

ͳΜͱͳ͘ମײͱ΋͋ͬͯΔɻ ZBSO͕޷͖ͳਓ͸େମ1FSGPSNBODF ͕଎͍ͱ͍͏͜ͱͰ࢖ͬͯΔ

Slide 16

Slide 16 text

npm ci

Slide 17

Slide 17 text

npm ci $*$%Ͱ࢖͏ͨΊʹ༨ܭͳॲཧΛ͠ͳ͍ɺͨͩϥΠϒϥ ϦΛθϩ͔Βऔಘ͢Δ͜ͱʹಛԽͨ͠ػೳ

Slide 18

Slide 18 text

npm ci ଎͍

Slide 19

Slide 19 text

yarnͷ͕جຊతʹ͸ߴ଎ npmͷ͕஗͍͕ɺCI౳Ͱ͸ yarnΑΓ΋ߴ଎

Slide 20

Slide 20 text

yarn͸։ൃ༻్ʹ޲͍͍ͯΔ npm͸։ൃɾӡ༻ͰͦΕͧΕ ίϚϯυΛ෼͚͍ͯΔ

Slide 21

Slide 21 text

ػೳ ʢجຊతʹ΄΅compatibleʣ

Slide 22

Slide 22 text

yarnʹ͋ͬͯnpmʹͳ͍ػೳ

Slide 23

Slide 23 text

yarn licenses list

Slide 24

Slide 24 text

ґଘϥΠϒϥϦͷϥΠηϯε͕ ҰཡͰ͖Δػೳ $ yarn licenses list yarn licenses v1.9.4 !" (BSD-2-Clause OR MIT OR Apache-2.0) # $" [email protected] # !" URL: https://github.com/dominictarr/rc.git # !" VendorName: Dominic Tarr # $" VendorUrl: dominictarr.com !" (GPL-2.0 OR MIT) # $" [email protected] # !" URL: https://github.com/faisalman/ua-parser-js.git # !" VendorName: Faisal Salman # $" VendorUrl: http://github.com/faisalman/ua-parser-js !" (MIT AND BSD-3-Clause) # $" [email protected] # !" URL: git://github.com/crypto-browserify/sha.js.git # !" VendorName: Dominic Tarr # $" VendorUrl: https://github.com/crypto-browserify/sha.js

Slide 25

Slide 25 text

yarn upgrade-interactive

Slide 26

Slide 26 text

ґଘϥΠϒϥϦͷߋ৽Λର࿩ܕ γΣϧͰߦ͑Δػೳ

Slide 27

Slide 27 text

npmʹ͋ͬͯyarnʹͳ͍ػೳ

Slide 28

Slide 28 text

npm audit

Slide 29

Slide 29 text

ґଘϥΠϒϥϦͰ੬ऑੑ͕ใࠂ ͞Ε͍ͯͳ͍͔Λ؂ࠪ͢Δػೳ $ npm audit === npm audit security report === # Run npm install --save-dev [email protected] to resolve 14 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change %"""""""""""""""&""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""' # Low # Prototype Pollution # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Package # lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Dependency of # nyc [dev] # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Path # nyc > istanbul-lib-instrument > babel-generator > # # # babel-types > lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # More info # https://nodesecurity.io/advisories/577 # $"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+

Slide 30

Slide 30 text

࠷ۙ͸ηΩϡϦςΟ͕೤͍ʢ΍ ͹͍ʣ

Slide 31

Slide 31 text

͔͠΋npm audit͸npmಠࣗͷػೳͱͯ͠ ఏڙ͞ΕͯΔʢଞͷαʔϏεͰ͸࢖͑ͳ͍ʣ

Slide 32

Slide 32 text

yarn͸։ൃπʔϧͱͯ͠༏ल npm͸ӡ༻πʔϧͱͯ͠༏ल

Slide 33

Slide 33 text

᠘ ʢ࢖͍ͬͯͯҾ͔͔ͬΔϙΠϯτʣ

Slide 34

Slide 34 text

yarn ͷ᠘

Slide 35

Slide 35 text

ॏෳϞδϡʔϧΛ࡟আ͢Δػ ೳ͕npmͱcompatibleͳಈ ͖Λ͠ͳ͍ɻ

Slide 36

Slide 36 text

yarn, npm ͱ΋ʹॏෳͨ͠Ϟδϡʔ ϧ͕͋ͬͨΒτοϓϨϕϧʹ࡞Δ // ͜͏͍͏ґଘؔ܎͕͋ͬͨΒ app (lib_Aͱlib_Bʹґଘ)/ node_modules/ lib_A(v1) (lib_B(v1)ʹґଘ)/ lib_B(v1) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ lib_B(v2) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ // CΛҰͭʹͯ͠ɺ֊૚ߏ଄Λઙ͘͢Δػೳ(dedupeͱݺ͹ΕΔ) app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_B(v2)/ lib_C(v1)/

Slide 37

Slide 37 text

yarnͷ৔߹΋جຊ͸͜ͷ dedupe͕ಈ͕͘ɺ׬ᘳ͡Ό ͳ͍ɻ
 https://github.com/yarnpkg/yarn/issues/6070

Slide 38

Slide 38 text

yarn dedupeෆ׬શ໰୊ // dedupe͕ෆ׬શͩͱ͜͏ͳΔɻ app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_C(v1)/ lib_B(v2)/ lib_C(v1)/ ΄ͱΜͲͷέʔεͰ͸໰୊ʹͳΒͳ͍͕ɺ$#΁ͷٯ ࢀর͕͋Δͱ/(

Slide 39

Slide 39 text

࣮ࡍʹ͸webpackϞδϡʔϧ ͱͦͷґଘͰҰճNGʹͳͬ ͨɻ

Slide 40

Slide 40 text

npm ͷ᠘

Slide 41

Slide 41 text

npm install ͰຖճlockϑΝΠ ϧॻ͖׵͑ͯ͘Δ໰୊

Slide 42

Slide 42 text

package-lockϑΝΠϧॻ͖׵͑ Δ໰୊ $ npm install $ git diff - package-lock.json (!! npm install ͚ͨͩ͠ͳͷʹϩοΫϑΝΠϧ͕ॻ͖׵Θͬ ͯΔ !!)

Slide 43

Slide 43 text

όάͱͯ͠͸ೝࣝ͞ΕͯΔ͕ɺ ·ͩ௚ͬͯͳ͍ɻ

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

package-lockϑΝΠϧॻ͖׵͑ Δ໰୊ // workaround $ npm install --nosave OR $ npm ci // npm install —nosave option Λ͚ͭΔͱͦͷλΠϛϯάͰ͸package-lock͸࡞ Βͳ͍ɻ // npm ci ͸package-lock.json͔Βμ΢ϯϩʔυ͢ΔҎ֎ͷҰ੾Λ͠ͳ͍ɻ

Slide 46

Slide 46 text

yarn͸CLI͕ͩރΕͯͳ͍ npm͸lockͷ෦෼ʹ·ͩएׯ ͷই͕͋Δɻ

Slide 47

Slide 47 text

·ͱΊ • ੑೳ • yarn ͷ͕جຊతʹ଎͍ • npm ci΋ߴ଎ • ػೳ • yarnͷ͕։ൃ໘Ͱخ͍͠ػೳ͕ଟ͍ • npmͷ͕ӡ༻໘ʢಛʹηΩϡϦςΟʣͰخ͍͠ػೳ͕ଟ͍ • ᠘ • yarn => deduce ؁͍໰୊ • npm => lockfileউखʹॻ͖׵͑ͪΌ͏໰୊

Slide 48

Slide 48 text

Q. npm ͱ yarn ͬͯͲͬͪ ࢖ͬͨΒ͍͍ΜͰ͔͢ʁ

Slide 49

Slide 49 text

(ੑೳతʹ͸yarnͷ͕଎͍͠ɺ ศརίϚϯυ΋͋Δ͚Ͳɺ npmͷ͕ηΩϡΞͩ͠ɺރΕ ͯΔ͠͏ʔʔΜ…)

Slide 50

Slide 50 text

A. ޷͖ͳͷ࢖ͬͨΒ͍͍Μ͡Ό ͳ͍Ͱ͔͢Ͷ (^^)