undefined | Better HN

0 pointsDrJokepu10y ago0 comments

I mean, don't use `npm install --save` then. I'm not really sure why people started using it in the first place, it's such a lazy thing to do. Instead, add it to your package.json yourself with the exact specific version you want (none of the ^a.b.c funny business).

0 comments

Silhouette10y ago

Instead, add it to your package.json yourself with the exact specific version you want

Unfortunately, the same problem then arises for your dependencies. If any of them don't specify exact versions, you are still vulnerable to getting uncontrolled changes.

This is why things like npm shrinkwrap exist, but it's still crazy that NPM's default behaviour is the uncontrolled case.

DrJokepuOP10y ago

Yes, libraries should specify exact versions as well, it's insane that they don't.

madeofpalk10y ago

or rather, npm install --save-exact :)

then upgrade with npm shrinkwrap

igl10y ago

echo "save-prefix=''" > ~/.npmrc

inglor10y ago

When I bootstrap code I npm install --save, I have 10 packages I usually need right off the bat and I don't want to start an investigation every time I do this.

j / k navigate · click thread line to collapse