Upgrade to Pro — share decks privately, control downloads, hide ads and more …

npm or yarn, that is a problem.

npm or yarn, that is a problem.

LL.pm で発表した npm と yarn の話です。

Yosuke Furukawa

August 26, 2018
Tweet

More Decks by Yosuke Furukawa

Other Decks in Programming

Transcript

  1. FAQ

  2. ґଘϥΠϒϥϦͷϥΠηϯε͕ ҰཡͰ͖Δػೳ $ yarn licenses list yarn licenses v1.9.4 !"

    (BSD-2-Clause OR MIT OR Apache-2.0) # $" [email protected] # !" URL: https://github.com/dominictarr/rc.git # !" VendorName: Dominic Tarr # $" VendorUrl: dominictarr.com !" (GPL-2.0 OR MIT) # $" [email protected] # !" URL: https://github.com/faisalman/ua-parser-js.git # !" VendorName: Faisal Salman # $" VendorUrl: http://github.com/faisalman/ua-parser-js !" (MIT AND BSD-3-Clause) # $" [email protected] # !" URL: git://github.com/crypto-browserify/sha.js.git # !" VendorName: Dominic Tarr # $" VendorUrl: https://github.com/crypto-browserify/sha.js
  3. ґଘϥΠϒϥϦͰ੬ऑੑ͕ใࠂ ͞Ε͍ͯͳ͍͔Λ؂ࠪ͢Δػೳ $ npm audit === npm audit security report

    === # Run npm install --save-dev [email protected] to resolve 14 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change %"""""""""""""""&""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""' # Low # Prototype Pollution # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Package # lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Dependency of # nyc [dev] # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # Path # nyc > istanbul-lib-instrument > babel-generator > # # # babel-types > lodash # !"""""""""""""""("""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""") # More info # https://nodesecurity.io/advisories/577 # $"""""""""""""""*""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""+
  4. yarn, npm ͱ΋ʹॏෳͨ͠Ϟδϡʔ ϧ͕͋ͬͨΒτοϓϨϕϧʹ࡞Δ // ͜͏͍͏ґଘؔ܎͕͋ͬͨΒ app (lib_Aͱlib_Bʹґଘ)/ node_modules/ lib_A(v1)

    (lib_B(v1)ʹґଘ)/ lib_B(v1) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ lib_B(v2) (lib_C(v1)ʹґଘ)/ lib_C (v1)/ // CΛҰͭʹͯ͠ɺ֊૚ߏ଄Λઙ͘͢Δػೳ(dedupeͱݺ͹ΕΔ) app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_B(v2)/ lib_C(v1)/
  5. yarn dedupeෆ׬શ໰୊ // dedupe͕ෆ׬શͩͱ͜͏ͳΔɻ app/ node_modules/ lib_A (v1)/ lib_B(v1)/ lib_C(v1)/

    lib_B(v2)/ lib_C(v1)/ ΄ͱΜͲͷέʔεͰ͸໰୊ʹͳΒͳ͍͕ɺ$#΁ͷٯ ࢀর͕͋Δͱ/(
  6. package-lockϑΝΠϧॻ͖׵͑ Δ໰୊ $ npm install $ git diff - package-lock.json

    (!! npm install ͚ͨͩ͠ͳͷʹϩοΫϑΝΠϧ͕ॻ͖׵Θͬ ͯΔ !!)
  7. package-lockϑΝΠϧॻ͖׵͑ Δ໰୊ // workaround $ npm install --nosave OR $

    npm ci // npm install —nosave option Λ͚ͭΔͱͦͷλΠϛϯάͰ͸package-lock͸࡞ Βͳ͍ɻ // npm ci ͸package-lock.json͔Βμ΢ϯϩʔυ͢ΔҎ֎ͷҰ੾Λ͠ͳ͍ɻ
  8. ·ͱΊ • ੑೳ • yarn ͷ͕جຊతʹ଎͍ • npm ci΋ߴ଎ •

    ػೳ • yarnͷ͕։ൃ໘Ͱخ͍͠ػೳ͕ଟ͍ • npmͷ͕ӡ༻໘ʢಛʹηΩϡϦςΟʣͰخ͍͠ػೳ͕ଟ͍ • ᠘ • yarn => deduce ؁͍໰୊ • npm => lockfileউखʹॻ͖׵͑ͪΌ͏໰୊