Second Update

第二次更新

The FAQ is not available anymore.

常见问题不再可用。

From the documentation of shrinkwrap:

从文档shrinkwrap：

If you wish to lock down the specific bytes included in a package, for example to have 100% confidence in being able to reproduce a deployment or build, then you ought to check your dependencies into source control, or pursue some other mechanism that can verify contents rather than versions.

如果您希望锁定包含在包中的特定字节，例如对能够重现部署或构建有 100% 的信心，那么您应该将您的依赖项检查到源代码控制中，或寻求其他一些可以验证的机制内容而不是版本。

Shannon and Steven mentioned this before but I think, it should be part of the accepted answer.

香农和史蒂文之前提到过这一点，但我认为，这应该是公认答案的一部分。

Update

更新

The source listed for the below recommendation has been updated. They are no longer recommending the node_modulesfolder be committed.

为以下建议列出的来源已更新。他们不再建议node_modules提交文件夹。

Usually, no. Allow npm to resolve dependencies for your packages.

For packages you deploy, such as websites and apps, you should use npm shrinkwrap to lock down your full dependency tree:

https://docs.npmjs.com/cli/shrinkwrap

通常，没有。允许 npm 解析包的依赖关系。

对于你部署的包，比如网站和应用程序，你应该使用 npm shrinkwrap 来锁定你的完整依赖树：

https://docs.npmjs.com/cli/shrinkwrap

Original Post

原帖

For reference, npm FAQ answers your question clearly:

作为参考，npm FAQ 清楚地回答了您的问题：

Check node_modules into git for things you deploy, such as websites and apps. Do not check node_modules into git for libraries and modules intended to be reused. Use npm to manage dependencies in your dev environment, but not in your deployment scripts.

将 node_modules 签入 git 以获取您部署的内容，例如网站和应用程序。对于打算重用的库和模块，不要将 node_modules 检查到 git 中。使用 npm 管理开发环境中的依赖项，而不是部署脚本中的依赖项。

and for some good rationale for this, read Mikeal Rogers' post on this.

对此有一些很好的理由，请阅读Mikeal Rogers 对此的帖子。

Source: https://docs.npmjs.com/misc/faq#should-i-check-my-node-modules-folder-into-git

来源：https: //docs.npmjs.com/misc/faq#should-i-check-my-node-modules-folder-into-git

My biggest concern with notchecking node_modulesinto git is that 10 years down the road, when your production application is still in use, npm may not be around. Or npm might become corrupted; or the maintainers might decide to remove the library that you rely on from their repository; or the version you use might be trimmed out.

我对不检查node_modulesgit 的最大担忧是 10 年后，当您的生产应用程序仍在使用时，npm 可能不会出现。或者 npm 可能会损坏；或者维护者可能决定从他们的存储库中删除您依赖的库；或者您使用的版本可能会被删减。

This can be mitigated with repo managers like maven, because you can always use your own local Nexus or Artifactory to maintain a mirror with the packages that you use. As far as I understand, such a system doesn't exist for npm. The same goes for client-side library managers like Bower and Jamjs.

这可以通过像 maven 这样的 repo 管理器来缓解，因为你总是可以使用你自己的本地 Nexus 或 Artifactory 来维护你使用的包的镜像。据我了解，npm 不存在这样的系统。像 Bower 和 Jamjs 这样的客户端库管理器也是如此。

If you've committed the files to your own git repo, then you can update them when you like, and you have the comfort of repeatable builds and the knowledge that your app won't break because of some third-party action.

如果您已将文件提交到您自己的 git 存储库，那么您可以随时更新它们，并且您可以轻松地重复构建，并且知道您的应用程序不会因为某些第三方操作而中断。

You should not includenode_modulesin your .gitignore(or rather you should includenode_modulesin your sourcedeployed to Heroku).

你不应该包括node_modules在你的.gitignore（或者你应该包括node_modules在你部署到 Heroku的源代码中）。

If node_modules:

如果node_modules：

• existsthen npm installwill use those vendored libs and will rebuild any binary dependencies with npm rebuild.
• doesn't existthen npm installwill have to fetch all dependencies itself which adds time to the slug compile step.

• 存在然后npm install将使用这些供应商的库并将重建任何二进制依赖项npm rebuild。
• 不存在则npm install必须自己获取所有依赖项，这会增加 slug 编译步骤的时间。

See the Node.js buildpack source for these exact steps

有关这些确切步骤，请参阅 Node.js buildpack 源代码

However, the original error looks to be an incompatibility between the versions of npmand node. It is a good idea to always explicitly set the enginessection of your packages.jsonaccording to this guideto avoid these types of situations:

但是，原始错误看起来是npm和的版本不兼容node。根据本指南始终明确设置engines您的部分以避免这些类型的情况是个好主意：packages.json

{
  "name": "myapp",
  "version": "0.0.1",
  "engines": {
    "node": "0.8.x",
    "npm":  "1.1.x"
  }
}

This will ensure dev/prod parityand reduce the likelihood of such situations in the future.

这将确保dev/prod对等，并减少将来发生此类情况的可能性。

I was going to leave this after this comment: Should I check in node_modules to git when creating a node.js app on Heroku?

我打算在这条评论后留下这个：在 Heroku 上创建 node.js 应用程序时，我应该将 node_modules 签入到 git 吗？

But stackoverflow was formatting it weird. If you don't have identical machines and are checking in node_modules, do a .gitignore on the native extensions. Our .gitignore looks like:

但是 stackoverflow 格式化它很奇怪。如果您没有相同的机器并且正在检查 node_modules，请在本机扩展上执行 .gitignore。我们的 .gitignore 看起来像：

# Ignore native extensions in the node_modules folder (things changed by npm rebuild)
node_modules/**/*.node
node_modules/**/*.o
node_modules/**/*.a
node_modules/**/*.mk
node_modules/**/*.gypi
node_modules/**/*.target
node_modules/**/.deps/
node_modules/**/build/Makefile
node_modules/**/**/build/Makefile

Test this by first checking everything in, and then have another dev do the following:

通过首先检查所有内容来测试这一点，然后让另一个开发人员执行以下操作：

rm -rf node_modules
git checkout -- node_modules
npm rebuild
git status

Ensure that no files changed.

确保没有文件更改。

I believe that npm installshould not run in a production environment. There are several things that can go wrong - npm outage, download of newer dependencies (shrinkwrap seems to solved this) are two of them.

我认为不npm install应该在生产环境中运行。有几件事可能会出错 - npm 中断、下载更新的依赖项（shrinkwrap 似乎解决了这个问题）是其中两个。

On the other hand, node_modulesshould not be committed on git. Apart from their big size, commits including them can become distracting.

另一方面，node_modules不应该在 git 上提交。除了它们的大尺寸之外，包括它们在内的提交可能会让人分心。

The best solutions would be this: npm installshould run in a CI environment that is similar to the production environment. All tests will run and a zipped release file will be created that will include all dependencies.

最好的解决方案是：npm install应该在类似于生产环境的 CI 环境中运行。将运行所有测试并创建一个包含所有依赖项的压缩发布文件。

I have been using both committing node_modules folder and shrink-wrapping. Both solutions did not make me happy.

我一直在使用提交 node_modules 文件夹和收缩包装。两种解决方案都没有让我高兴。

In short: committed node_modules adds too much noise to repository.
And shrinkwrap.json is not easy to manage and there is no guarantee that some shrink-wrapped project will build in a few years.

简而言之：提交的 node_modules 给存储库增加了太多的噪音。
而且shrinkwrap.json 不容易管理，也不能保证几年后会构建一些收缩包装的项目。

I found that Mozilla was using a separate repository for one of their projects https://github.com/mozilla-b2g/gaia-node-modules

我发现 Mozilla 为他们的一个项目使用了一个单独的存储库https://github.com/mozilla-b2g/gaia-node-modules

So it did not take me long to implement this idea in a node CLI tool https://github.com/bestander/npm-git-lock

所以我很快就在 node CLI 工具https://github.com/bestander/npm-git-lock 中实现了这个想法

Just before every build add
npm-git-lock --repo [[email protected]:your/dedicated/node_modules/git/repository.git]

在每次构建之前添加
npm-git-lock --repo [[email protected]:your/dedicated/node_modules/git/repository.git]

It will calculate hash of your package.json and will either check out node_modules content from a remote repo, or, if it is a first build for this package.json, will do a clean npm installand push the results to the remote repo.

它将计算您的 package.json 的哈希值，并从远程仓库中检出 node_modules 内容，或者，如果它是此 package.json 的第一次构建，则会执行清理npm install并将结果推送到远程仓库。

What worked for me was explicitly adding a npm version to package.json ("npm": "1.1.x") and NOT checking in node_modules to git. It may be slower to deploy (since it downloads the packages each time), but I couldn't get the packages to compile when they were checked in. Heroku was looking for files that only existed on my local box.

对我有用的是明确地向 package.json ("npm": "1.1.x") 添加一个 npm 版本，而不是将 node_modules 签入 git。部署可能会更慢（因为它每次都下载包），但是当它们被签入时我无法编译这些包。Heroku 正在寻找只存在于我的本地机器上的文件。

Instead of checking in node_modules, make a package.json file for your app.

不要签入 node_modules，而是为您的应用程序创建一个 package.json 文件。

The package.json file specifies the dependencies of your application. Heroku can then tell npm to install all of those dependencies. The tutorial you linked to contains a section on package.json files.

package.json 文件指定应用程序的依赖项。然后 Heroku 可以告诉 npm 安装所有这些依赖项。您链接到的教程包含有关 package.json 文件的部分。

From https://web.archive.org/web/20150212165006/http://www.futurealoof.com/posts/nodemodules-in-git.html:

从https://web.archive.org/web/20150212165006/http://www.futurealoof.com/posts/nodemodules-in-git.html：

Edit: The original link was this onebut it is now dead. Thanks @Flavio for pointing it out.

编辑：原始链接是这个，但现在已经死了。感谢@Flavio 指出。

To recap.

• Only checkin node_modules for applications you deploy, not reusable packages you maintain.
• Any compiled dependencies should have their source checked in, not the compile targets, and should $ npm rebuild on deploy.

回顾一下。

• 只为您部署的应用程序签入 node_modules，而不是您维护的可重用包。
• 任何编译的依赖项都应该签入它们的源代码，而不是编译目标，并且应该在部署时使用 $ npm rebuild。

My favorite part:

我最喜欢的部分：

All you people who added node_modules to your gitignore, remove that shit, today, it's an artifact of an era we're all too happy to leave behind. The era of global modules is dead.

所有将 node_modules 添加到您的 gitignore 的人，删除那些狗屎，今天，这是一个我们都乐于抛在后面的时代的产物。全局模块的时代已经结束。

I am using this solution:

我正在使用这个解决方案：

1. Create separate repository that holds node_modules. If you have native modules that should be build for specific platform then create separate repository for each platform.
2. Attach these repositories to your project repository with git submodule:

1. 创建单独的存储库，其中包含node_modules. 如果您有应该为特定平台构建的本机模块，则为每个平台创建单独的存储库。
2. 使用以下命令将这些存储库附加到您的项目存储库git submodule：

git submodule add .../your_project_node_modules_windows.git node_modules_windows

git submodule add .../your_project_node_modules_windows.git node_modules_windows

git submodule add .../your_project_node_modules_linux_x86_64 node_modules_linux_x86_64

git submodule add .../your_project_node_modules_linux_x86_64 node_modules_linux_x86_64

1. Create link from platform-specific node_modulesto node_modulesdirectory and add node_modulesto .gitignore.
2. Run npm install.
3. Commit submodule repository changes.
4. Commit your project repository changes.

3. 创建从特定平台node_modules到node_modules目录的链接并添加node_modules到.gitignore.
4. 运行npm install。
5. 提交子模块存储库更改。
6. 提交您的项目存储库更改。

So you can easily switch between node_moduleson different platforms (for example if you are developing on OS X and deploying to Linux).

因此，您可以轻松地node_modules在不同平台之间切换（例如，如果您在 OS X 上开发并部署到 Linux）。