Common practice for version numbers of npm dependencies in package.json has been to enter exact version numbers (like 1.2.4
) instead of inexact version numbers (like ^1.2.4
which allows installing bug fix releases like 1.2.5
) to make sure a future installation will not break due to changes in dependencies (see for example this article).
Using exact version numbers has a drawback in that you can't automatically update bug fix versions of dependencies. This is an issue when it's nested dependencies having security fixes or bug fixes. For example, at this moment the package karma-browserstack-launcher
uses browserstack
, which is using an outdated version of https-proxy-agent
containing a security vulnerability. This becomes very visible right now thanks to npm audit
which looks for security issues in dependencies.
Since some time we have package-lock.json
, which is used to lock down the version numbers of all dependencies. This may change the way we deal exact or inexact version numbers in package.json
.
My question is: given package.json
and package-lock.json
, what is the best strategy nowadays to deal with version numbers of dependencies? Use exact versions or not? How can I deal with security issues in nested dependencies if they don't get upgraded?
Required name and version fields A package. json file must contain "name" and "version" fields. The "name" field contains your package's name, and must be lowercase and one word, and may contain hyphens and underscores.
@thefourtheye: You generally shouldn't leave * in package. json since you might end up automatically installing a new module version with breaking changes that break your app. Since we're using --save here, the * is replaced with each package's current version.
The package-lock. json file should always be part of your source control. Never put it into . gitignore.
My feeling is that
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With