2  

There exist different package repositories for each of the package managers that are available. Whenever you reference a package by name, the tool queries one of those repositories asking where to find the actual code that has to be downloaded for it to work.

每个可用的包管理器都存在不同的包存储库。每当您按名称引用包时,该工具都会查询其中一个存储库,询问在哪里可以找到必须下载的实际代码才能使其正常工作。

For Bower, there's the bower registry. For npm, there's the npm registry. And the like.

对于鲍尔来说,有凉亭注册表。对于npm,有npm注册表。之类的。

When you specify just a package name, the tool asks its registry for the data. If you specify the name and a GitHub repo, then it goes to that repo to get the code, and marks it as satisfying the package-name dependency.

当您仅指定包名称时,该工具会向其注册表询问数据。如果您指定名称和GitHub存储库,那么它将转到该存储库以获取代码,并将其标记为满足包名称依赖关系。

The registry knows where to find the code because the package author registered all that info when publishing the package.

注册表知道在何处查找代码,因为包发布者在发布包时注册了所有该信息。

npm defaults its registry, but you can scope your dependencies to use a custom registry.

npm默认其注册表,但您可以将依赖项的范围限定为使用自定义注册表。

gem, the Ruby package manager, requires you to specify the registries you want to use - most of the time, just Rubygems.

Ruby包管理器gem要求您指定要使用的注册表 - 大多数情况下,只需指定Rubygems。

But all of them know one way or another who to query to get the relevant data.

但他们都知道以某种方式查询以获取相关数据。

0  

Bower and NPM are agnostic when it comes to the packages the community submits. It is ultimately up to you, the developer, to confirm any NPM and Bower packages you incorporate into your software are the correct instances.

当涉及社区提交的包时,Bower和NPM是不可知的。开发人员最终要确认您合并到软件中的任何NPM和Bower软件包都是正确的实例。

The best way to do that is to search and view the package at their respective Bower and NPM sites before installing. There you can reference the GIT url and confirm its the correct package or not a fork before proceeding.

最好的方法是在安装之前在各自的Bower和NPM站点搜索和查看软件包。在那里你可以引用GIT url并确认它是正确的包,或者在继续之前没有fork。