diff options
author | Hunter Loftis <hunter@hunterloftis.com> | 2014-09-09 15:12:24 +0400 |
---|---|---|
committer | Forrest L Norvell <forrest@npmjs.com> | 2014-09-13 12:32:25 +0400 |
commit | 860a185c43646aca84cb93d1c05e2266045c316b (patch) | |
tree | ee2d02a83145b4b2b76e444dd9ccabf3b05f140a /doc | |
parent | 5eb8db2c370eeb4cd34f6e8dc6a935e4ea325621 (diff) |
don't check in node_modules
generalize git check in for non-deployable packages
Diffstat (limited to 'doc')
-rw-r--r-- | doc/misc/npm-faq.md | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/doc/misc/npm-faq.md b/doc/misc/npm-faq.md index 53fa03d62..4dca3cd71 100644 --- a/doc/misc/npm-faq.md +++ b/doc/misc/npm-faq.md @@ -75,18 +75,20 @@ npm will not help you do something that is known to be a bad idea. ## Should I check my `node_modules` folder into git? -Mikeal Rogers answered this question very well: +Usually, no. Allow npm to resolve dependencies for your packages. -<http://www.futurealoof.com/posts/nodemodules-in-git.html> +For packages you **deploy**, such as websites and apps, +you should use npm shrinkwrap to lock down your full dependency tree: -tl;dr +https://www.npmjs.org/doc/cli/npm-shrinkwrap.html -* Check `node_modules` into git for things you **deploy**, such as - websites and apps. -* Do not check `node_modules` into git for libraries and modules - intended to be reused. -* Use npm to manage dependencies in your dev environment, but not in - your deployment scripts. +If you are paranoid about depending on the npm ecosystem, +you should run a private npm mirror or a private cache. + +If you want 100% confidence in being able to reproduce the specific bytes +included in a deployment, you should use an additional mechanism that can +verify contents rather than versions. For example, +Amazon machine images, DigitalOcean snapshots, Heroku slugs, or simple tarballs. ## Is it 'npm' or 'NPM' or 'Npm'? |