Node.js applications on the VIP Platform must use
npm to manage their dependencies. Other dependency managers such as
yarn are not supported.
Prior to building and running a Node.js application, VIP installs the application’s production dependencies with:
npm install --production
This step installs the dependencies listed in the
dependencies section of an application’s package.json . It does not install the dependencies listed in the
Production dependencies are installed and saved using the
npm install --save webpack
For development dependencies, use the
npm install --save-dev eslint
Both package.json and package-lock.json should be committed to a wpvip GitHub repository. Providing package-lock.json enables every system, including the VIP platform, to install and use the exact same dependency tree.
VIP also supports npm-shrinkwrap.json. If npm-shrinkwrap.json is present, it takes precedence over package-lock.json. Though both files perform similar functions, their differences should be considered carefully before adding npm-shrinkwrap.json to an application.
When developing code locally, check that the dependencies installed locally match those specified by package-lock.json in the current working branch. If there are any discrepancies, or to just eliminate doubt, remove the node_modules directory entirely and reinstall the dependencies.
The node_modules directory should not be committed to a wpvip GitHub repository. To ensure that dependencies are not accidentally committed, the node_modules directory has been added to .gitignore in the vip-go-node-skeleton.
Using private dependencies is not recommended, and they should not be used to provide application secrets or other configuration values.
If private dependencies are necessary, private npm packages can be used to load them:
- Publish the private code as one or more private npm packages and install them as dependencies of the application.
- Generate an npm access token that has permission to read the private packages.
- Set an environment variable named
NPM_TOKENwith the access token as its value. This token will be used by VIP to install the private packages.
Another option—though also not recommended—is to commit the credentials to the application’s GitHub repository, either by committing an
.npmrc file or by hardcoding access tokens in