分类
devops

语义化版本semver和package-lock

semver

语义化版本,参考https://semver.org/lang/zh-CN/

包管理依赖

语言 dependency-file lock-file
nodejs(npm) package.json package-lock.json
golang go.mod go.sum
rust(Cargo) Cargo.toml Cargo.lock
python(Pipenv) Pipfile Pipfile.lock
python requirements.txt None
java(maven) pom.xml None
php(Composer) composer.json composer.lock
ruby(gem) Gemfile Gemfile.lock

lock文件是需要上传git仓库的

java

Why doesn’t Gradle or Maven have a dependency version lock file?
https://stackoverflow.com/questions/44521542/why-doesnt-gradle-or-maven-have-a-dependency-version-lock-file

inexact version

凡是依赖管理中使用inexact version的,比如版本范围,都需要生成一个dependency-lock-file来把inexact version 固定成 exact version。这个过程就是lock。

ref

  • https://github.com/golang/go/wiki/Modules#should-i-commit-my-gosum-file-as-well-as-my-gomod-file
  • https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
  • https://docs.npmjs.com/cli/v6/configuring-npm/package-lock-json
  • https://semver.org/
  • http://nodejs.cn/learn/the-package-lock-json-file
  • https://pipenv-zh.readthedocs.io/zh_CN/latest/basics.html
  • https://heartwarming.github.io/heartwarming.github.io/2019/09/04/package-lock/
  • https://bundler.io/