node和npm是什么_什么是npm？面向初学者的Node Package Manager教程

node和npm是什么

This article should serve as an all-in-one essential guide for Node.js' favorite sidekick: npm.

本文应该作为Node.js最喜欢的伙伴：npm的多合一基本指南。

Node.js has been taking the world by storm since 2009. Hundreds of thousands of systems have been built using Node.js, prompting the developer community to claim that "JavaScript is eating software".

自2009年以来，Node.js一直席卷全球。使用Node.js构建了成千上万的系统，促使开发人员社区宣称“ JavaScript正在吞噬软件”。

One of the major factors of Node's success is npm - its popular package manager, which allows JavaScript developers to share useful packages like lodash and moment quickly and easily.

Node成功的主要因素之一是npm-它受欢迎的软件包管理器，它使JavaScript开发人员可以快速，轻松地共享lodash和moment等有用的软件包。

As of the moment I'm writing this post, npm has facilitated the publication of over 1.3 million packages with a weekly download rate of over 16 billion! These numbers are fantastic for any software tool. So now let's talk about what exactly npm is.

在撰写本文时，npm已帮助发布了130万个软件包，每周下载量超过160亿个！这些数字对于任何软件工具都非常有用。现在，让我们讨论一下npm到底是什么。

什么是NPM？ (What is NPM?)

NPM – or "Node Package Manager" – is the default package manager for JavaScript's runtime Node.js.

NPM(或“节点程序包管理器”)是JavaScript运行时Node.js的默认程序包管理器。

It's also known as "Ninja Pumpkin Mutants", "Nonprofit Pizza Makers", and a host of other random names that you can explore and probably contribute to over at npm-expansions.

它也被称为“忍者南瓜突变体”，“非营利比萨饼制作者”，以及许多其他随机名称，您可以在npm-expansions上进行探索，甚至可以做出贡献。

NPM consists of two main parts:

NPM由两个主要部分组成：

a CLI (command-line interface) tool for publishing and downloading packages, and一个用于发布和下载程序包的CLI(命令行界面)工具，以及
an online repository that hosts JavaScript packages

托管JavaScript程序包的在线存储库

For a more visual explanation, we can think of the repository npmjs.com as a fulfillment center that receives packages of goods from sellers (npm package authors) and distributes these goods to buyers (npm package users).

为了获得更直观的解释，我们可以将存储库npmjs.com视为一个实现中心，该中心从卖家(npm包裹的作者)那里接收商品的包裹，并将这些商品分发给买家(npm包裹的用户)。

To facilitate this process, the npmjs.com fulfillment center employs an army of hardworking wombats (npm CLI) who will be assigned as personal assistants to each individual npmjs.com customer. So dependencies are delivered to JavaScript developers like this:

为了简化此过程， npmjs.com履行中心雇用了一群勤劳的袋熊(npm CLI)，他们将被分配为每个npmjs.com客户的私人助理。因此，依赖项会像这样传递给JavaScript开发人员：

and the process of publishing a package for your JS mates would be something like this:

为您的JS伙伴发布软件包的过程如下：

Let's look at how this army of wombats assist developers who want to use JavaScript packages in their projects. We'll also see how they help open-source wizards get their cool libraries out into the world.

让我们看看这只袋熊如何协助想要在项目中使用JavaScript包的开发人员。我们还将看到它们如何帮助开源向导将其出色的库推向世界。

package.json (package.json)

Every project in JavaScript – whether it's Node.js or a browser application – can be scoped as an npm package with its own package information and its package.json job to describe the project.

JavaScript中的每个项目(无论是Node.js还是浏览器应用程序)都可以划分为npm软件包，并带有其自身的软件包信息和用于描述该项目的package.json作业。

We can think of package.json as stamped labels on those npm good boxes that our army of Wombats delivers around.

我们可以将package.json视为我们袋熊部队提供的npm好盒子上的加盖标签。

package.json will be generated when npm init is run to initialise a JavaScript/Node.js project, with these basic metadata provided by developers:

当npm init初始化JavaScript / Node.js项目时，将生成package.json ，其中包含开发人员提供的以下基本元数据：

name: the name of your JavaScript library/project

name ：您JavaScript库/项目的名称
version: the version of your project. Often times, for application development, this field is often neglected as there's no apparent need for versioning opensource libraies. But still, it can come handy as a source of the deployment's version.

version ：项目的版本。通常，在应用程序开发中，由于显然没有必要对开源库进行版本控制，因此经常忽略该领域。但是，它仍然可以作为部署版本的来源方便使用。
description: the project's description

description ：项目的描述
license: the project's license

license ：项目的许可证

npm脚本 (npm scripts)

package.json also supports a scripts property that can be defined to run command-line tools that are installed in the project's local context. For example, the scripts portion of an npm project can look something like this:

package.json还支持scripts属性，可以将其定义为运行安装在项目本地上下文中的命令行工具。例如，npm项目的scripts部分看起来可能像这样：

{"scripts": {"build": "tsc","format": "prettier --write **/*.ts","format-check": "prettier --check **/*.ts","lint": "eslint src/**/*.ts","pack": "ncc build","test": "jest","all": "npm run build && npm run format && npm run lint && npm run pack && npm test"}
}

with eslint, prettier, ncc, jest not necessarily installed as global executables but rather as local to your project inside node_modules/.bin/.

与eslint ， prettier ， ncc ， jest不必安装为全球的可执行文件，而是为您的本地项目中node_modules/.bin/ 。

The recent introduction of npx allows us to run these node_modules project-scoped commands just like a globally installed program by prefixing npx ... (i.e. npx prettier --write **/*.ts).

最近推出的NPX让我们来运行这些node_modules通过在前面的项目范围的命令，就像一个全球安装的程序npx ... (即npx prettier --write **/*.ts )。

依赖与开发依赖 (dependencies vs devDependencies)

These two come in form of key-value objects with npm libraries' names as the key and their semantic-formatted versions as the value. This is an example from Github's TypeScript Action template:

这两个以键值对象的形式出现，其中npm库的名称为键，其语义格式的版本为值。这是来自Github的TypeScript Action模板的示例：

{"dependencies": {"@actions/core": "^1.2.3","@actions/github": "^2.1.1"},"devDependencies": {"@types/jest": "^25.1.4","@types/node": "^13.9.0","@typescript-eslint/parser": "^2.22.0","@zeit/ncc": "^0.21.1","eslint": "^6.8.0","eslint-plugin-github": "^3.4.1","eslint-plugin-jest": "^23.8.2","jest": "^25.1.0","jest-circus": "^25.1.0","js-yaml": "^3.13.1","prettier": "^1.19.1","ts-jest": "^25.2.1","typescript": "^3.8.3"}
}

These dependencies are installed via the npm install command with --save and --save-dev flags. They're meant to be used for production and development/test environments respectively. We will drill deeper into the installation of these packages in the next section.

这些依赖项通过带有--save和--save-dev标志的npm install命令npm install 。它们分别用于生产和开发/测试环境。在下一节中，我们将更深入地研究这些软件包的安装。

Meanwhile, it's important to understand the possible signs that come before the semantic versions (assuming you have read up on major.minor.patch model of semver):

同时，重要的是要了解语义版本之前可能出现的符号(假设您已阅读semver的 major.minor.patch模型)：

^: latest minor release. For example, a ^1.0.4 specification might install version 1.3.0 if that's the latest minor version in the 1 major series.

^ ：最新的次要版本。例如，如果^1.0.4规范是1主要系列中的最新次要版本，则可能会安装1.3.0版。
~: latest patch release. In the same way as ^ for minor releases, ~1.0.4 specification might install version 1.0.7 if that's the latest minor version in the 1.0 minor series.

~ ：最新补丁程序版本。以同样的方式作为^为次要版本， ~1.0.4规范可能会安装版本1.0.7 ，如果这是在最新的次要版本1.0次要系列。

All of these exact package versions will be documented in a generated package-lock.json file.

所有这些确切的软件包版本都将记录在生成的package-lock.json文件中。

package-lock.json (package-lock.json)

This file describes the exact versions of the dependencies used in an npm JavaScript project. If package.json is a generic descriptive label, package-lock.json is an ingredient table.

该文件描述了npm JavaScript项目中使用的依赖项的确切版本。如果package.json是通用描述性标签，则package-lock.json是成分表。

And just like how we don't usually read the ingredient table of a product (unless you are too bored or need to know), package-lock.json is not meant to be read line-by-line by developers (unless we're desperate to resolve "works in my machine" issues).

就像我们通常不读取产品的成分表一样(除非您太无聊或需要知道)， package-lock.json并不意味着开发人员逐行读取(除非我们不顾一切地解决“在我的机器上工作”的问题)。

package-lock.json is usually generated by the npm install command, and is also read by our NPM CLI tool to ensure reproduction of build environments for the project with npm ci.

package-lock.json通常由npm install命令生成，并且也由我们的NPM CLI工具读取，以确保使用npm ci复制项目的构建环境。

如何有效地命令NPM袋熊作为“买方” (How to effectively command NPM Wombats as a "buyer")

As inferred from the 1.3 million published packages vs 16 billion downloads mentioned earlier, the majority of npm users use npm in this direction. So it's good to know how to wield this powerful tool.

从前面提到的130万个发布的软件包中，有160亿次下载，可以推断出，大多数npm用户都朝这个方向使用npm。因此，很高兴知道如何使用这个强大的工具。

npm安装 (npm install)

This is the most commonly used command as we develop JavaScript/Node.js applications nowadays.

这是当今我们开发JavaScript / Node.js应用程序时最常用的命令。

By default, npm install <package-name> will install the latest version of a package with the ^ version sign. An npm install within the context of an npm project will download packages into the project's node_modules folder according to package.json specifications, upgrading the package version (and in turn regenerating package-lock.json) wherever it can based on ^ and ~ version matching.

默认情况下， npm install <package-name>将安装带有^版本符号的软件包的最新版本。在npm项目的上下文中进行npm install将根据package.json规范将软件包下载到项目的node_modules文件夹中，并根据^和~版本匹配情况尽可能地升级软件包版本( package-lock.json而重新生成package-lock.json )。。

You can specify a global flag -g if you want to install a package in the global context which you can use anywhere across your machine (this is common for command-line tooling packages like live-server).

如果要在全局上下文中安装程序包，可以在机器的任何地方使用它，则可以指定全局标志-g (这对于命令行工具程序包(如live-server )很常见)。

npm has made installing JavaScript packages so easy that this command is often used incorrectly. This results in npm being the butt of a lot of programmers' jokes like these:

npm使安装JavaScript软件包非常容易，以至于经常错误地使用此命令。这导致npm成为许多这样的程序员笑话的对接：

This is where the --production flag comes to the rescue! In the previous section, we discussed dependencies and devDependencies meant for usage in production and development/test environment respectively. This --production flag is how the differences in node_modules are made.

这就是--production标志的--production ！在上一节中，我们讨论了devDependencies用于生产和开发/测试环境的dependencies和devDependencies 。此--production标志是如何在node_modules中进行区别的。

By attaching this flag to the npm install command, we will only install packages from dependencies, thus drastically reducing the size of our node_modules to whatever is absolutely necessary for our applications to be up and running.

通过将此标志附加到npm install命令，我们将仅安装dependencies软件包，从而极大地将node_modules的大小减小到启动和运行应用程序绝对必需的大小。

Just like how as boy and girl scouts we didn't bring lemon squeezers to our lemonade booth, we shouldn't bring devDependencies to production!

就像童子军一样，我们没有将柠檬榨汁器带到我们的柠檬水摊位， devDependencies我们不应该将devDependencies引入生产一样！

npm ci (npm ci)

So if npm install --production is optimal for a production environment, must there be a command that's optimal for my local development, testing setup?

因此，如果npm install --production对于生产环境是最佳的，是否必须有一个对我的本地开发，测试设置最合适的命令？

The answer is npm ci.

答案是npm ci 。

Just like how if package-lock.json doesn't already exist in the project it's generated whenever npm install is called, npm ci consumes this file to download the exact version of each individual package that the project depends on.

就像package-lock.json在项目中尚不存在一样，它在每次调用npm install时都会生成， npm ci此文件来下载项目所依赖的每个软件包的确切版本。

This is how we can make sure that the our project's context stays exactly the same across different machines, whether it's our laptops used for development or CI (Continuous Integration) build environments like Github Actions.

这样，无论是用于开发的笔记本电脑还是Github Actions等CI(持续集成)构建环境，我们都可以确保项目上下文在不同机器上保持完全相同。

npm审核 (npm audit)

With the humongous number of packages that have been published and can easily be installed, npm packages are susceptible to bad authors with malicious intentions like these.

由于已经发布了许多软件包，并且可以轻松安装，因此npm软件包容易受到恶意作者的恶意攻击，这些恶意作者具有此类意图。

Realising that there was an issue in the ecosystem, the npm.js organisation came up with the idea of npm audit. They maintain a list of security loopholes that developers can audit their dependencies against using the npm audit command.

意识到生态系统存在问题，npm.js组织提出了npm audit的想法。他们维护了一个安全漏洞列表，开发人员可以使用npm audit命令来审核其依赖项。

npm audit gives developers information about the vulnerabilities and whether there're versions with remediations to upgrade to. For example,

npm audit为开发人员提供了有关漏洞以及是否有要修复的版本的信息。例如，

If the remediations are available in the next non-breaking version upgrades, npm audit fix can be used to upgrade the affected dependencies' versions automatically.

如果补救措施在下一个不间断的版本升级中可用，则可以使用npm audit fix自动升级受影响的依赖项的版本。

如何有效地命令NPM袋熊成为“卖方” (How to effectively command NPM wombats as "seller")

We have gone through how to wield the NPM CLI tool as a consumer, but what about effectively using it as an author (and potentially becoming a JavaScript open source wizard