0

There has been a few different ways to download the latest version of a module using npm (and also with syntax in package.json). If I'm creating a new node project and I want to use a 3rd party module (that also uses 3rd party modules, and so on), how can I avoid the problem that 3rd party modules might be always getting the latest version of a dependency that could possibly break my application without any warning?

For example, if a module that I want to use has something like this and its package.json:

"dependencies": {
  "dep1": "^1.1.1"
}

It will always grab the latest version of dep1 when I install my app. There could be some code in the newer version that breaks my app. Is there a global way to prevent this from happening?

u84six
  • 4,604
  • 6
  • 38
  • 65
  • Are you asking how to download certain versions? – Andrew Li Aug 30 '16 at 04:34
  • No, I'm asking if there's a way to prevent all 3rd party modules from always getting the latest version of a dependency. Isn't that a huge risk when running npm install on your application? – u84six Aug 30 '16 at 04:35
  • Why would you want to prevent it? Those modules need those dependencies, and most likely in their newest version. Why not download older versions of the module for older dependency versions? – Andrew Li Aug 30 '16 at 04:36
  • Because I've already tested my app and it works. I install it somewhere else, and a dependency installs a newer version of one of its dependencies that's not compatible with my app (for example). I don't think it's a good idea to install new code into your tested app. Isn't that a general problem with npm and the way people use it? – u84six Aug 30 '16 at 04:37
  • 1
    https://docs.npmjs.com/cli/shrinkwrap – Matt Aug 30 '16 at 04:46

0 Answers0