What's the difference between dependencies, devDependencies and peerDependencies in npm package.json file?

前端 未结 14 1762
灰色年华
灰色年华 2020-11-22 00:43

This documentation answers my question very poorly. I didn\'t understand those explanations. Can someone say in simpler words? Maybe with examples if it\'s hard to choose si

14条回答
  •  不思量自难忘°
    2020-11-22 01:41

    peerDependencies didn't quite make sense for me until I read this snippet from a blog post on the topic Ciro mentioned above:

    What [plugins] need is a way of expressing these “dependencies” between plugins and their host package. Some way of saying, “I only work when plugged in to version 1.2.x of my host package, so if you install me, be sure that it’s alongside a compatible host.” We call this relationship a peer dependency.

    The plugin does expect a specific version of the host...

    peerDependencies are for plugins, libraries that require a "host" library to perform their function, but may have been written at a time before the latest version of the host was released.

    That is, if I write PluginX v1 for HostLibraryX v3 and walk away, there's no guarantee PluginX v1 will work when HostLibraryX v4 (or even HostLibraryX v3.0.1) is released.

    ... but the plugin doesn't depend on the host...

    From the point of view of the plugin, it only adds functions to the host library. I don't really "need" the host to add a dependency to a plugin, and plugins often don't literally depend on their host. If you don't have the host, the plugin harmlessly does nothing.

    This means dependencies isn't really the right concept for plugins.

    Even worse, if my host was treated like a dependency, we'd end up in this situation that the same blog post mentions (edited a little to use this answer's made up host & plugin):

    But now, [if we treat the contemporary version of HostLibraryX as a dependency for PluginX,] running npm install results in the unexpected dependency graph of

    ├── HostLibraryX@4.0.0
    └─┬ PluginX@1.0.0
      └── HostLibraryX@3.0.0
    

    I’ll leave the subtle failures that come from the plugin using a different [HostLibraryX] API than the main application to your imagination.

    ... and the host obviously doesn't depend on the plugin...

    ... that's the whole point of plugins. Now if the host was nice enough to include dependency information for all of its plugins, that'd solve the problem, but that'd also introduce a huge new cultural problem: plugin management!

    The whole point of plugins is that they can pair up anonymously. In a perfect world, having the host manage 'em all would be neat & tidy, but we're not going to require libraries herd cats.

    If we're not hierarchically dependent, maybe we're intradependent peers...

    Instead, we have the concept of being peers. Neither host nor plugin sits in the other's dependency bucket. Both live at the same level of the dependency graph.


    ... but this is not an automatable relationship. <<< Moneyball!!!

    If I'm PluginX v1 and expect a peer of (that is, have a peerDependency of) HostLibraryX v3, I'll say so. If you've auto-upgraded to the latest HostLibraryX v4 (note that's version 4) AND have Plugin v1 installed, you need to know, right?

    npm can't manage this situation for me --

    "Hey, I see you're using PluginX v1! I'm automatically downgrading HostLibraryX from v4 to v3, kk?"

    ... or...

    "Hey I see you're using PluginX v1. That expects HostLibraryX v3, which you've left in the dust during your last update. To be safe, I'm automatically uninstalling Plugin v1!!1!

    How about no, npm?!

    So npm doesn't. It alerts you to the situation, and lets you figure out if HostLibraryX v4 is a suitable peer for Plugin v1.


    Coda

    Good peerDependency management in plugins will make this concept work more intuitively in practice. From the blog post, yet again...

    One piece of advice: peer dependency requirements, unlike those for regular dependencies, should be lenient. You should not lock your peer dependencies down to specific patch versions. It would be really annoying if one Chai plugin peer-depended on Chai 1.4.1, while another depended on Chai 1.5.0, simply because the authors were lazy and didn’t spend the time figuring out the actual minimum version of Chai they are compatible with.

提交回复
热议问题