From 71e285b94c7edaa43aa8115965cf5a36b8e0f80a Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Wed, 3 Apr 2019 15:43:32 +0200 Subject: Node.js v11.13.0 --- deps/node/deps/npm/doc/files/package-lock.json.md | 142 ++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 deps/node/deps/npm/doc/files/package-lock.json.md (limited to 'deps/node/deps/npm/doc/files/package-lock.json.md') diff --git a/deps/node/deps/npm/doc/files/package-lock.json.md b/deps/node/deps/npm/doc/files/package-lock.json.md new file mode 100644 index 00000000..1b4ba934 --- /dev/null +++ b/deps/node/deps/npm/doc/files/package-lock.json.md @@ -0,0 +1,142 @@ +package-lock.json(5) -- A manifestation of the manifest +===================================================== + +## DESCRIPTION + +`package-lock.json` is automatically generated for any operations where npm +modifies either the `node_modules` tree, or `package.json`. It describes the +exact tree that was generated, such that subsequent installs are able to +generate identical trees, regardless of intermediate dependency updates. + +This file is intended to be committed into source repositories, and serves +various purposes: + +* Describe a single representation of a dependency tree such that teammates, deployments, and continuous integration are guaranteed to install exactly the same dependencies. + +* Provide a facility for users to "time-travel" to previous states of `node_modules` without having to commit the directory itself. + +* To facilitate greater visibility of tree changes through readable source control diffs. + +* And optimize the installation process by allowing npm to skip repeated metadata resolutions for previously-installed packages. + +One key detail about `package-lock.json` is that it cannot be published, and it +will be ignored if found in any place other than the toplevel package. It shares +a format with npm-shrinkwrap.json(5), which is essentially the same file, but +allows publication. This is not recommended unless deploying a CLI tool or +otherwise using the publication process for producing production packages. + +If both `package-lock.json` and `npm-shrinkwrap.json` are present in the root of +a package, `package-lock.json` will be completely ignored. + + +## FILE FORMAT + +### name + +The name of the package this is a package-lock for. This must match what's in +`package.json`. + +### version + +The version of the package this is a package-lock for. This must match what's in +`package.json`. + +### lockfileVersion + +An integer version, starting at `1` with the version number of this document +whose semantics were used when generating this `package-lock.json`. + +### packageIntegrity + +This is a [subresource +integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) value +created from the `package.json`. No preprocessing of the `package.json` should +be done. Subresource integrity strings can be produced by modules like +[`ssri`](https://www.npmjs.com/package/ssri). + +### preserveSymlinks + +Indicates that the install was done with the environment variable +`NODE_PRESERVE_SYMLINKS` enabled. The installer should insist that the value of +this property match that environment variable. + +### dependencies + +A mapping of package name to dependency object. Dependency objects have the +following properties: + +#### version + +This is a specifier that uniquely identifies this package and should be +usable in fetching a new copy of it. + +* bundled dependencies: Regardless of source, this is a version number that is purely for informational purposes. +* registry sources: This is a version number. (eg, `1.2.3`) +* git sources: This is a git specifier with resolved committish. (eg, `git+https://example.com/foo/bar#115311855adb0789a0466714ed48a1499ffea97e`) +* http tarball sources: This is the URL of the tarball. (eg, `https://example.com/example-1.3.0.tgz`) +* local tarball sources: This is the file URL of the tarball. (eg `file:///opt/storage/example-1.3.0.tgz`) +* local link sources: This is the file URL of the link. (eg `file:libs/our-module`) + +#### integrity + +This is a [Standard Subresource +Integrity](https://w3c.github.io/webappsec/specs/subresourceintegrity/) for this +resource. + +* For bundled dependencies this is not included, regardless of source. +* For registry sources, this is the `integrity` that the registry provided, or if one wasn't provided the SHA1 in `shasum`. +* For git sources this is the specific commit hash we cloned from. +* For remote tarball sources this is an integrity based on a SHA512 of + the file. +* For local tarball sources: This is an integrity field based on the SHA512 of the file. + +#### resolved + +* For bundled dependencies this is not included, regardless of source. +* For registry sources this is path of the tarball relative to the registry + URL. If the tarball URL isn't on the same server as the registry URL then + this is a complete URL. + +#### bundled + +If true, this is the bundled dependency and will be installed by the parent +module. When installing, this module will be extracted from the parent +module during the extract phase, not installed as a separate dependency. + +#### dev + +If true then this dependency is either a development dependency ONLY of the +top level module or a transitive dependency of one. This is false for +dependencies that are both a development dependency of the top level and a +transitive dependency of a non-development dependency of the top level. + +#### optional + +If true then this dependency is either an optional dependency ONLY of the +top level module or a transitive dependency of one. This is false for +dependencies that are both an optional dependency of the top level and a +transitive dependency of a non-optional dependency of the top level. + +All optional dependencies should be included even if they're uninstallable +on the current platform. + + +#### requires + +This is a mapping of module name to version. This is a list of everything +this module requires, regardless of where it will be installed. The version +should match via normal matching rules a dependency either in our +`dependencies` or in a level higher than us. + + +#### dependencies + +The dependencies of this dependency, exactly as at the top level. + +## SEE ALSO + +* npm-shrinkwrap(1) +* npm-shrinkwrap.json(5) +* npm-package-locks(5) +* package.json(5) +* npm-install(1) -- cgit v1.2.3