Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
npm or yarn, that is a problem.
Search
Yosuke Furukawa
PRO
August 26, 2018
Programming
18
2k
npm or yarn, that is a problem.
LL.pm で発表した npm と yarn の話です。
Yosuke Furukawa
PRO
August 26, 2018
Tweet
Share
More Decks by Yosuke Furukawa
See All by Yosuke Furukawa
リアーキテクトと開発生産性について
yosuke_furukawa
PRO
21
7.8k
JavaScript Server Runtime History
yosuke_furukawa
PRO
8
2.7k
tc39 x jsconf.jp Panel Discussion
yosuke_furukawa
PRO
0
820
フロントエンドの開発生産性とは
yosuke_furukawa
PRO
16
9.4k
7 principles for rich web apps And how next.js achieves these principles
yosuke_furukawa
PRO
6
2k
Deep Dive International Conference
yosuke_furukawa
PRO
0
95
フロントエンドのDXと今後
yosuke_furukawa
PRO
6
3.6k
フロントエンドリアーキテクトの話
yosuke_furukawa
PRO
18
8.8k
new_urlparser.pdf
yosuke_furukawa
PRO
1
420
Other Decks in Programming
See All in Programming
『データ可視化学入門』をPythonからRに翻訳した話(増強版)
bob3bob3
0
280
Microsoft Fabricを7ヶ月使ってわかったこと
shun_oshidari
2
450
BuefyのMaintainerを引き継いだ件
kikuomax
0
330
シェルの履歴とイクンリメンタル検索を使う
naoya
7
2.3k
「Hono遍歴」と「HonoXでブログ作成」
yasu551
0
170
Laravel OpenAPIによる"辛くない"スキーマ駆動開発
kentaroutakeda
2
1.4k
Kotlinを用いたDSL的な設計手法と使用上の注意
kohii00
2
490
Learning PHP and Static Analysis with PHP Parser
inouehi
1
220
Apple Vision Pro購入RTA 1泊3日弾丸ハワイツアー / RTA: Purchase Apple Vision Pro in Hawaii
yutailang0119
0
480
PHP8の機能を使って堅牢にコードを書く
fendo181
6
2k
メール認証とRuby
uvb_76
0
110
CSC308B Lecture 12
javiergs
PRO
0
100
Featured
See All Featured
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
178
11k
WebSockets: Embracing the real-time Web
robhawkes
59
6.9k
Embracing the Ebb and Flow
colly
78
4.1k
Ruby is Unlike a Banana
tanoku
95
10k
Teambox: Starting and Learning
jrom
126
8.3k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
18
1.7k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
6
930
Navigating Team Friction
lara
177
13k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
19
1.6k
A better future with KSS
kneath
230
16k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
11
1.4k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
1.2k
Transcript
npm or yarn , that is a problem. 2018/08/26 @
LL.pm
Twitter: @yosuke_furukawa Github: yosuke-furukawa
None
FAQ
Q. npm ͱ yarn ͬͯͲͬͪ ͬͨΒ͍͍ΜͰ͔͢ʁ
A. ͍ɺͲ͍͍ͬͪͬͯ Μ͡Όͳ͍Ͱ͔͢ͶʢຊԻʣ ΈΜͳҧͬͯΈΜͳ͍͍
ͲͬͪύοέʔδΛཧ͢ ΔػೳͦΖͬͯΔɻ
ͨͩ·͊ͦΕ͚ͩݴͬͯಀ ͛ͳͷͰɺҰԠ໌֬ʹࠩผԽ ͞ΕͯΔ෦Λհ͢Δ
ύϑΥʔϚϯε
ܭଌͯ͠Έͨ (ͲͪΒcache͠ͳ͍ঢ়گ)
None
yarnͷউར
ܭଌͯ͠Έͨ (cacheΛ༗ޮʹͨ͋͠ͱͷ݁Ռ)
yarnͷউར
ͳΜͱͳ͘ମײͱ͋ͬͯΔɻ ZBSO͕͖ͳਓେମ1FSGPSNBODF ͕͍ͱ͍͏͜ͱͰͬͯΔ
npm ci
npm ci $*$%Ͱ͏ͨΊʹ༨ܭͳॲཧΛ͠ͳ͍ɺͨͩϥΠϒϥ ϦΛθϩ͔Βऔಘ͢Δ͜ͱʹಛԽͨ͠ػೳ
npm ci ͍
yarnͷ͕جຊతʹߴ npmͷ͕͍͕ɺCIͰ yarnΑΓߴ
yarn։ൃ༻్ʹ͍͍ͯΔ npm։ൃɾӡ༻ͰͦΕͧΕ ίϚϯυΛ͚͍ͯΔ
ػೳ ʢجຊతʹ΄΅compatibleʣ
yarnʹ͋ͬͯnpmʹͳ͍ػೳ
yarn licenses list
ґଘϥΠϒϥϦͷϥΠηϯε͕ ҰཡͰ͖Δػೳ $ yarn licenses list yarn licenses v1.9.4 !"
(BSD-2-Clause OR MIT OR Apache-2.0) # $"
[email protected]
# !" URL: https://github.com/dominictarr/rc.git # !" VendorName: Dominic Tarr # $" VendorUrl: dominictarr.com !" (GPL-2.0 OR MIT) # $"
[email protected]
# !" URL: https://github.com/faisalman/ua-parser-js.git # !" VendorName: Faisal Salman # $" VendorUrl: http://github.com/faisalman/ua-parser-js !" (MIT AND BSD-3-Clause) # $"
[email protected]
# !" URL: git://github.com/crypto-browserify/sha.js.git # !" VendorName: Dominic Tarr # $" VendorUrl: https://github.com/crypto-browserify/sha.js
yarn upgrade-interactive
ґଘϥΠϒϥϦͷߋ৽Λରܕ γΣϧͰߦ͑Δػೳ
npmʹ͋ͬͯyarnʹͳ͍ػೳ
npm audit
ґଘϥΠϒϥϦͰ੬ऑੑ͕ใࠂ ͞Ε͍ͯͳ͍͔Λࠪ͢Δػೳ $ npm audit === npm audit security report
=== # Run npm install --save-dev
[email protected]
to resolve 14 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change %"""""""""""""""&""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""' # Low # Prototype Pollution # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Package # lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Dependency of # nyc [dev] # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Path # nyc > istanbul-lib-instrument > babel-generator > # # # babel-types > lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # More info # https://nodesecurity.io/advisories/577 # $"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+
࠷ۙηΩϡϦςΟ͕͍ʢ ͍ʣ
͔͠npm auditnpmಠࣗͷػೳͱͯ͠ ఏڙ͞ΕͯΔʢଞͷαʔϏεͰ͑ͳ͍ʣ
yarn։ൃπʔϧͱͯ͠༏ल npmӡ༻πʔϧͱͯ͠༏ल
᠘ ʢ͍ͬͯͯҾ͔͔ͬΔϙΠϯτʣ
yarn ͷ᠘
ॏෳϞδϡʔϧΛআ͢Δػ ೳ͕npmͱcompatibleͳಈ ͖Λ͠ͳ͍ɻ
yarn, npm ͱʹॏෳͨ͠Ϟδϡʔ ϧ͕͋ͬͨΒτοϓϨϕϧʹ࡞Δ // ͜͏͍͏ґଘ͕ؔ͋ͬͨΒ app (lib_Aͱlib_Bʹґଘ)/ node_modules/ lib_A(v1)
(lib_B(v1)ʹґଘ)/ lib_B(v1) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ lib_B(v2) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ // CΛҰͭʹͯ͠ɺ֊ߏΛઙ͘͢Δػೳ(dedupeͱݺΕΔ) app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_B(v2)/ lib_C(v1)/
yarnͷ߹جຊ͜ͷ dedupe͕ಈ͕͘ɺᘳ͡Ό ͳ͍ɻ https://github.com/yarnpkg/yarn/issues/6070
yarn dedupeෆશ // dedupe͕ෆશͩͱ͜͏ͳΔɻ app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_C(v1)/
lib_B(v2)/ lib_C(v1)/ ΄ͱΜͲͷέʔεͰʹͳΒͳ͍͕ɺ$#ͷٯ ࢀর͕͋Δͱ/(
࣮ࡍʹwebpackϞδϡʔϧ ͱͦͷґଘͰҰճNGʹͳͬ ͨɻ
npm ͷ᠘
npm install ͰຖճlockϑΝΠ ϧॻ͖͑ͯ͘Δ
package-lockϑΝΠϧॻ͖͑ Δ $ npm install $ git diff - package-lock.json
(!! npm install ͚ͨͩ͠ͳͷʹϩοΫϑΝΠϧ͕ॻ͖Θͬ ͯΔ !!)
όάͱͯ͠ೝࣝ͞ΕͯΔ͕ɺ ·ͩͬͯͳ͍ɻ
None
package-lockϑΝΠϧॻ͖͑ Δ // workaround $ npm install --nosave OR $
npm ci // npm install —nosave option Λ͚ͭΔͱͦͷλΠϛϯάͰpackage-lock࡞ Βͳ͍ɻ // npm ci package-lock.json͔Βμϯϩʔυ͢ΔҎ֎ͷҰΛ͠ͳ͍ɻ
yarnCLI͕ͩރΕͯͳ͍ npmlockͷ෦ʹ·ͩएׯ ͷই͕͋Δɻ
·ͱΊ • ੑೳ • yarn ͷ͕جຊతʹ͍ • npm ciߴ •
ػೳ • yarnͷ͕։ൃ໘Ͱخ͍͠ػೳ͕ଟ͍ • npmͷ͕ӡ༻໘ʢಛʹηΩϡϦςΟʣͰخ͍͠ػೳ͕ଟ͍ • ᠘ • yarn => deduce ͍ • npm => lockfileউखʹॻ͖͑ͪΌ͏
Q. npm ͱ yarn ͬͯͲͬͪ ͬͨΒ͍͍ΜͰ͔͢ʁ
(ੑೳతʹyarnͷ͕͍͠ɺ ศརίϚϯυ͋Δ͚Ͳɺ npmͷ͕ηΩϡΞͩ͠ɺރΕ ͯΔ͠͏ʔʔΜ…)
A. ͖ͳͷͬͨΒ͍͍Μ͡Ό ͳ͍Ͱ͔͢Ͷ (^^)