One of the biggest problems right now with Node is how fast it is changing. This means that production systems can be very fragile and an npm updatecan easily break things.

Node 目前最大的问题之一是它的变化速度有多快。这意味着生产系统可能非常脆弱，并且npm update很容易破坏事物。

Using bundledDependencies is a way to get round this issue by ensuring, as you correctly surmise, that you will always deliver the correct dependencies no matter what else may be changing.

使用 bundledDependencies 是解决这个问题的一种方法，它确保，正如您正确推测的那样，无论其他什么可能发生变化，您将始终交付正确的依赖项。

You can also use this to bundle up your own, private bundles and deliver them with the install.

您还可以使用它来捆绑您自己的私有捆绑包并在安装时交付它们。

For the quick reader: this QA is about the package.jsonbundledDependencies field, notabout the package.

对于快速阅读器：这个 QA 是关于package.jsonbundledDependencies 字段，而不是关于package。

What bundledDependencies do

bundledDependencies 做什么

"bundledDependencies" are exactly what their name implies. Dependencies that should be inside your project. So the functionality is basically the same as normal dependencies. They will also be packed when running npm pack.

“bundledDependencies”正是它们的名字所暗示的。应该在您的项目中的依赖项。所以功能和普通依赖基本一样。它们在运行时也会被打包npm pack。

When to use them

何时使用它们

Normal dependencies are usually installed from the npm registry. Thus bundled dependencies are useful when:

普通依赖项通常从 npm 注册表安装。因此，捆绑依赖项在以下情况下很有用：

• you want to re-use a third party library that doesn't come from the npm registry or that was modified
• you want to re-use your own projects as modules
• you want to distribute some files with your module

• 您想重新使用不是来自 npm 注册表或已修改的第三方库
• 你想重用你自己的项目作为模块
• 你想用你的模块分发一些文件

This way, you don't have to create (and maintain) your own npm repository, but get the same benefits that you get from npm packages.

这样，您不必创建（和维护）自己的 npm 存储库，但可以获得与 npm 包相同的好处。

When notto use bundled dependencies

何时不使用捆绑依赖项

When developing, I don't think that the main point is to prevent accidental updates though. We have better tools for that, namely code repositories (git, mercurial, svn...) or now lock files.

在开发时，我认为重点不是防止意外更新。我们有更好的工具，即代码存储库（git、mercurial、svn...）或现在锁定文件。

To pin your package versions, you can use:

要固定您的软件包版本，您可以使用：

• Option1:Use the newer NPM version 5 that comes with node 8. It uses a package-lock.jsonfile (see the node blogand the node 8 release)

• Option2:use yarninstead of npm. It is a package manager from facebook, faster than npmand it uses a yarn.lockfile. It uses the same package.jsonotherwise.

• 选项 1：使用节点 8 附带的较新的 NPM 版本 5。它使用一个package-lock.json文件（请参阅节点博客和节点 8 版本）

• 选项 2：使用yarn而不是npm. 它是来自 facebook 的包管理器，比npm它使用yarn.lock文件更快。package.json否则使用相同。

This is comparable to lockfiles in other package managers like Bundler or Cargo. It's similar to npm's npm-shrinkwrap.json, however it's not lossy and it creates reproducible results.

这与其他包管理器（如 Bundler 或 Cargo）中的锁文件相当。它类似于 npm 的 npm-shrinkwrap.json，但它不是有损的，并且可以创建可重现的结果。

npmactually copied that feature from yarn, amongst other things.

npm实际上是从 复制了该功能yarn，等等。

• Option3:this was the previously recommended approach, which I do not recommend anymore. The idea was to use npm shrinkwrapmost of the time, and sometimes put the whole thing, including the node_module folder, into your code repository. Or possibly use shrinkpack. The best practices at the time were discussed on the node.js blogand on the joyent developerwebsites.

• 选项 3：这是以前推荐的方法，我不再推荐。这个想法是在npm shrinkwrap大部分时间使用，有时将整个内容（包括 node_module 文件夹）放入您的代码存储库中。或者可能使用shrinkpack。node.js 博客和Joyent 开发者网站上讨论了当时的最佳实践。

See also

也可以看看

This is a bit outside the scope of the question, but I'd like to mention the last kind of dependencies (that I know of): peer dependencies. Also see this related SO questionand possibly the docs of yarnon bundledDependencies.

这有点超出了问题的范围，但我想提一下最后一种依赖项（我知道的）：peer dependencies。另请参阅此相关 SO 问题以及yarnon bundledDependencies的文档。

Other advantage is that you can put your internal dependencies (application components) there and then just require them in your app as if they were independent modules instead of cluttering your lib/ and publishing them to npm.

另一个优点是你可以把你的内部依赖（应用程序组件）放在那里，然后在你的应用程序中需要它们，就好像它们是独立的模块一样，而不是把你的 lib/ 弄乱并将它们发布到 npm。

If/when they are matured to the point they could live as separate modules, you can put them on npm easily, without modifying your code.

如果/当它们成熟到可以作为单独的模块存在时，您可以轻松地将它们放在 npm 上，而无需修改您的代码。

I'm surprised I didn't see this here already, but when carefully selected, bundledDependenciescan be used to produce a distributable package from npm packthat will run on a system where npmis not configured. This is helpful if you have e.g. a system that's not networked / not on the internet: bring your package over on a thumb drive (or whatever) and unpack the tarball, then npm runor node index.jsand it Just Works.

我很惊讶我在这里没有看到这个，但是当仔细选择时，bundledDependencies可以用来生成一个可分发的包，npm pack该包将在npm未配置的系统上运行。如果您有一个未联网/未在 Internet 上的系统，这将很有帮助：将您的包裹放在拇指驱动器（或其他任何东西）上并解压 tarball，然后npm runornode index.js就可以了。

Maybe there's a better way to bundle up your application to run "offline", but if there is I haven't found it.

也许有更好的方法来捆绑您的应用程序以“离线”运行，但如果有的话，我还没有找到。

Operationally, I look at bundledDependencies as a module's private module store, where dependencies is more public, resolved among your module and its dependencies (and sub-dependencies). Your module may rely on an older version of, say, react, but a dependency requires latest-and-greatest. Your package/install will result in your pinned version in node_modules/$yourmodule/node_modules/react, while your dependency will get their version in node_modules/react(or node_modules/$dependency/node_modules/reactif they're so inclined).

在操作上，我将 bundledDependencies 视为模块的私有模块存储，其中依赖项更加公开，在您的模块及其依赖项（和子依赖项）之间解决。您的模块可能依赖于旧版本，例如，react，但依赖项需要最新和最好的。您的包/安装将导致您的固定版本位于 中node_modules/$yourmodule/node_modules/react，而您的依赖项将获取它们的版本node_modules/react（或者node_modules/$dependency/node_modules/react如果它们如此倾向于）。

A caveat: I recently ran into a dependency that did not properly configure its dependency on react, and having react in bundledDependencies caused that dependent module to fail at runtime.

一个警告：我最近遇到了一个依赖，它没有正确配置它对 react 的依赖，并且在 bundledDependencies 中反应导致该依赖模块在运行时失败。