npm or yarn, that is a problem.

D76231a2114896dfcc7b79ac69558b79?s=47 Yosuke Furukawa
August 26, 2018
Programming
18
1.6k

npm or yarn, that is a problem.

LL.pm で発表した npm と yarn の話です。

D76231a2114896dfcc7b79ac69558b79?s=128

Yosuke Furukawa

August 26, 2018
Tweet

Want more?

D76231a2114896dfcc7b79ac69558b79?s=48 yosuke_furukawa
3
730
D76231a2114896dfcc7b79ac69558b79?s=48 yosuke_furukawa
66
20k
D76231a2114896dfcc7b79ac69558b79?s=48 yosuke_furukawa
0
2.1k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
10
540
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
2
270
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
180
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
6
340
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
6
220
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
310
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
4
570
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
170
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
4
250

Transcript

  1. 1.

    npm or yarn , that is a problem. 2018/08/26 @

    LL.pm
  2. 2.

    Twitter: @yosuke_furukawa Github: yosuke-furukawa

  3. 3.
    None
  4. 4.

    FAQ

  5. 5.

    Q. npm ͱ yarn ͬͯͲͬͪ ࢖ͬͨΒ͍͍ΜͰ͔͢ʁ

  6. 6.

    A. ͍΍ɺͲͬͪ࢖ͬͯ΋͍͍ Μ͡Όͳ͍Ͱ͔͢ͶʢຊԻʣ ΈΜͳҧͬͯΈΜͳ͍͍

  7. 7.

    Ͳͬͪ΋ύοέʔδΛ؅ཧ͢ Δػೳ͸ͦΖͬͯΔɻ

  8. 8.

    ͨͩ·͊ͦΕ͚ͩݴͬͯ΋ಀ ͛ͳͷͰɺҰԠ໌֬ʹࠩผԽ ͞ΕͯΔ෦෼Λ঺հ͢Δ

  9. 9.

    ύϑΥʔϚϯε

  10. 10.

    ܭଌͯ͠Έͨ (ͲͪΒ΋cache͠ͳ͍ঢ়گ)

  11. 11.
    None
  12. 12.

    yarnͷউར

  13. 13.

    ܭଌͯ͠Έͨ (cacheΛ༗ޮʹͨ͋͠ͱͷ݁Ռ)

  14. 14.

    yarnͷউར

  15. 15.

    ͳΜͱͳ͘ମײͱ΋͋ͬͯΔɻ ZBSO͕޷͖ͳਓ͸େମ1FSGPSNBODF ͕଎͍ͱ͍͏͜ͱͰ࢖ͬͯΔ

  16. 16.

    npm ci

  17. 17.

    npm ci $*$%Ͱ࢖͏ͨΊʹ༨ܭͳॲཧΛ͠ͳ͍ɺͨͩϥΠϒϥ ϦΛθϩ͔Βऔಘ͢Δ͜ͱʹಛԽͨ͠ػೳ

  18. 18.

    npm ci ଎͍

  19. 19.

    yarnͷ͕جຊతʹ͸ߴ଎ npmͷ͕஗͍͕ɺCI౳Ͱ͸ yarnΑΓ΋ߴ଎

  20. 20.

    yarn͸։ൃ༻్ʹ޲͍͍ͯΔ npm͸։ൃɾӡ༻ͰͦΕͧΕ ίϚϯυΛ෼͚͍ͯΔ

  21. 21.

    ػೳ ʢجຊతʹ΄΅compatibleʣ

  22. 22.

    yarnʹ͋ͬͯnpmʹͳ͍ػೳ

  23. 23.

    yarn licenses list

  24. 24.

    ґଘϥΠϒϥϦͷϥΠηϯε͕ ҰཡͰ͖Δػೳ $ yarn licenses list yarn licenses v1.9.4 !"

    (BSD-2-Clause OR MIT OR Apache-2.0) # $" rc@1.2.8 # !" URL: https://github.com/dominictarr/rc.git # !" VendorName: Dominic Tarr # $" VendorUrl: dominictarr.com !" (GPL-2.0 OR MIT) # $" ua-parser-js@0.7.18 # !" URL: https://github.com/faisalman/ua-parser-js.git # !" VendorName: Faisal Salman # $" VendorUrl: http://github.com/faisalman/ua-parser-js !" (MIT AND BSD-3-Clause) # $" sha.js@2.4.11 # !" URL: git://github.com/crypto-browserify/sha.js.git # !" VendorName: Dominic Tarr # $" VendorUrl: https://github.com/crypto-browserify/sha.js
  25. 25.

    yarn upgrade-interactive

  26. 26.

    ґଘϥΠϒϥϦͷߋ৽Λର࿩ܕ γΣϧͰߦ͑Δػೳ

  27. 27.

    npmʹ͋ͬͯyarnʹͳ͍ػೳ

  28. 28.

    npm audit

  29. 29.

    ґଘϥΠϒϥϦͰ੬ऑੑ͕ใࠂ ͞Ε͍ͯͳ͍͔Λ؂ࠪ͢Δػೳ $ npm audit === npm audit security report

    === # Run npm install --save-dev nyc@13.0.1 to resolve 14 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change %"""""""""""""""&""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""' # Low # Prototype Pollution # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Package # lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Dependency of # nyc [dev] # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Path # nyc > istanbul-lib-instrument > babel-generator > # # # babel-types > lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # More info # https://nodesecurity.io/advisories/577 # $"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+
  30. 30.

    ࠷ۙ͸ηΩϡϦςΟ͕೤͍ʢ΍ ͹͍ʣ

  31. 31.

    ͔͠΋npm audit͸npmಠࣗͷػೳͱͯ͠ ఏڙ͞ΕͯΔʢଞͷαʔϏεͰ͸࢖͑ͳ͍ʣ

  32. 32.

    yarn͸։ൃπʔϧͱͯ͠༏ल npm͸ӡ༻πʔϧͱͯ͠༏ल

  33. 33.

    ᠘ ʢ࢖͍ͬͯͯҾ͔͔ͬΔϙΠϯτʣ

  34. 34.

    yarn ͷ᠘

  35. 35.

    ॏෳϞδϡʔϧΛ࡟আ͢Δػ ೳ͕npmͱcompatibleͳಈ ͖Λ͠ͳ͍ɻ

  36. 36.

    yarn, npm ͱ΋ʹॏෳͨ͠Ϟδϡʔ ϧ͕͋ͬͨΒτοϓϨϕϧʹ࡞Δ // ͜͏͍͏ґଘؔ܎͕͋ͬͨΒ app (lib_Aͱlib_Bʹґଘ)/ node_modules/ lib_A(v1)

    (lib_B(v1)ʹґଘ)/ lib_B(v1) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ lib_B(v2) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ // CΛҰͭʹͯ͠ɺ֊૚ߏ଄Λઙ͘͢Δػೳ(dedupeͱݺ͹ΕΔ) app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_B(v2)/ lib_C(v1)/
  37. 37.

    yarnͷ৔߹΋جຊ͸͜ͷ dedupe͕ಈ͕͘ɺ׬ᘳ͡Ό ͳ͍ɻ
 https://github.com/yarnpkg/yarn/issues/6070

  38. 38.

    yarn dedupeෆ׬શ໰୊ // dedupe͕ෆ׬શͩͱ͜͏ͳΔɻ app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_C(v1)/

    lib_B(v2)/ lib_C(v1)/ ΄ͱΜͲͷέʔεͰ͸໰୊ʹͳΒͳ͍͕ɺ$#΁ͷٯ ࢀর͕͋Δͱ/(
  39. 39.

    ࣮ࡍʹ͸webpackϞδϡʔϧ ͱͦͷґଘͰҰճNGʹͳͬ ͨɻ

  40. 40.

    npm ͷ᠘

  41. 41.

    npm install ͰຖճlockϑΝΠ ϧॻ͖׵͑ͯ͘Δ໰୊

  42. 42.

    package-lockϑΝΠϧॻ͖׵͑ Δ໰୊ $ npm install $ git diff - package-lock.json

    (!! npm install ͚ͨͩ͠ͳͷʹϩοΫϑΝΠϧ͕ॻ͖׵Θͬ ͯΔ !!)
  43. 43.

    όάͱͯ͠͸ೝࣝ͞ΕͯΔ͕ɺ ·ͩ௚ͬͯͳ͍ɻ

  44. 44.
    None
  45. 45.

    package-lockϑΝΠϧॻ͖׵͑ Δ໰୊ // workaround $ npm install --nosave OR $

    npm ci // npm install —nosave option Λ͚ͭΔͱͦͷλΠϛϯάͰ͸package-lock͸࡞ Βͳ͍ɻ // npm ci ͸package-lock.json͔Βμ΢ϯϩʔυ͢ΔҎ֎ͷҰ੾Λ͠ͳ͍ɻ
  46. 46.

    yarn͸CLI͕ͩރΕͯͳ͍ npm͸lockͷ෦෼ʹ·ͩएׯ ͷই͕͋Δɻ

  47. 47.

    ·ͱΊ • ੑೳ • yarn ͷ͕جຊతʹ଎͍ • npm ci΋ߴ଎ •

    ػೳ • yarnͷ͕։ൃ໘Ͱخ͍͠ػೳ͕ଟ͍ • npmͷ͕ӡ༻໘ʢಛʹηΩϡϦςΟʣͰخ͍͠ػೳ͕ଟ͍ • ᠘ • yarn => deduce ؁͍໰୊ • npm => lockfileউखʹॻ͖׵͑ͪΌ͏໰୊
  48. 48.

    Q. npm ͱ yarn ͬͯͲͬͪ ࢖ͬͨΒ͍͍ΜͰ͔͢ʁ

  49. 49.

    (ੑೳతʹ͸yarnͷ͕଎͍͠ɺ ศརίϚϯυ΋͋Δ͚Ͳɺ npmͷ͕ηΩϡΞͩ͠ɺރΕ ͯΔ͠͏ʔʔΜ…)

  50. 50.

    A. ޷͖ͳͷ࢖ͬͨΒ͍͍Μ͡Ό ͳ͍Ͱ͔͢Ͷ (^^)