Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The little `^` in version numbers in NPM's `package.json` file is such a bizarre choice. The fact that it by default installs all new dependencies with that means that builds on different machines at different times could result in _completely_ different artifacts.


You should always commit a lockfile (either npm's or yarn.lock) alongside package.json


This helps with CI and deploys, but on developer machines running `npm i` will install different things at different times. The amount of churn a `package-lock.json` file undergoes when all of the dependencies have a `^` is crazy.


When you have a package-lock.json file npm i will not upgrade packages. You have to do that manually.

The biggest churn in package-lock.json files is from using different npm versions. It’s worth keeping them aligned within a dev team.


I use an .npmrc in all of my repos that turns this off. It doesn't help nested dependencies but at least it reduces some of the headache.


Can you share it?


Sure, save this to `.npmrc` right next to your `package.json`. It doesn't retroactively change versions, so any existing ~ or ^ ranges need to have those characters removed. But further `npm i` invocations will save the versions without range characters.

    save-exact = true
    package-lock = false
    update-notifier = false




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: