Better NPM'ing, Tips and Tricks using NPM
2018-10-02 - Thomas Queste
I discovered several tips working with NPM on a daily basis. Here are the top ones.
TL;DR: save-exact, npm ci, npm audit fix, npx, updtr, NVM_SYMLINK_CURRENT
I presented those tips to my coworkers, the slides are available online.
Reproducible builds
Problem: your local install can/will differ from another coworkers, even on the CI server!
Cause: Version range are problematic: "rxjs": "^6.2.2"
Greenkeeper.io tells us that 15% of packages break the minor or patch updates:
Solution: Use --save-exact
when installing a dependency
$ npm install --save-exact aDependency
# Shorter:
$ npm i -E aDependency
Better solution: Always exact, never use a range: npm config set save-exact true
$ npm config set save-exact true
Installing package
Problem: Using npm install
will tries to resolves the dependency graph, possibly installing different versions (because of ranges declared in dependencies, not yours even if you used --save-exact
) and then updating the package-lock.json
even if you did not want to.
Solution: Use npm ci
which only read the package-lock.json
↗ Speed (on CI and locally)
➕ Avoid dirty-ing the package-lock.json
$ npm ci
Global package
Problem: Polluting the global node_modules
with global packages: nest-cli, create-react-apps (= hundreds of packages)
Solution: npx
runs a package without installing it (but first, tries to find it locally in node_modules
)
# Example with params given to cleaver
$ npx cleaver watch index.md
Security
Problem: Finding packages with security flaws
Solution: Use the builtin npm audit
and npm audit fix
➕ Fails the build given integrated it in CI
Another solution is to use the builtin services of Github and Gitlab.
$ npm audit fix
Updating packages
Problem: Updating dependency and finding the one that breaks the code is tedious.
Solution 1 (best): updtr update one dependency, then run the tests, then repeat
$ npx updtr
Solution 2: npm-check show a pretty menu of all updates
$ npx npm-check -u
Current Node version in Tools
Problem: When configuring Node/Typescript, the node path is version-dependent
Solution: if you use NVM for managing installation of Node.js, NVM can automatically manage a symlink to the current version of node. NVM will link ~/.nvm/current
to, for example, ~/.nvm/versions/node/v11.0.0
and recreate the link when changing of node version (automatically if you use NVM auto-use ZSH plugin).
# Put this in your .bashrc/.zshrc
$ export NVM_SYMLINK_CURRENT=true
(Bonus) Follow Github Releases
Problem: Be notified of releases
Solution 1: (Updated: 2018.12.02) Github now support watching releases of a repository: Documentation.
Solution 2: Gitpunch.com seems to solve the problem. It can follow all your Github stars and specific projects.