package.json dependency caret symbol

Question

suppose in the package.json file I have my dependencies as-as -

"dependencies": {
     "moment": "^2.22.2"
 }

Here, are we saying that for the package "moment" we can use any of version 2.x.x functionality( i.e. we can use the new functions provided by 2.23.2 in our app, though we installed 2.22.2 on our computer) or are we saying that anyone else who uses our code of app can use any 2.x.x version of "moment" package ?

Possible duplicate of [What's the difference between tilde(~) and caret(^) in package.json?](https://stackoverflow.com/questions/22343224/whats-the-difference-between-tilde-and-caret-in-package-json) — Sayed Tauseef Haider Naqvi, Feb 15 '19 at 09:52
In that thread, it is answered that caret matches to 2.x.x but tilde matches to 2.22.x only.Please read my full question. It is not answered there. — AMAN GUPTA, Feb 15 '19 at 09:55

score 2 · Answer 1 · answered Feb 15 '19 at 10:06

2

If you set:

"moment": "^2.22.2"

the user will download almost the v2.22.2. In this case you will download the v2.24.0

If you set:

"moment": "2.22.2"

the user will download exactly that version

If you set:

"moment": "~2.22.1"

the user will download almost the v2.22.1. In this case you will download the v2.22.2

You can use the functions in v2.9.9 if and only if the module respect the semver standard. That is true the 99.999% of times.

answered Feb 15 '19 at 10:06

Manuel Spigolon

11,003
5
50
73

can we use the new functions provided by 2.9.9 in our app, though we installed 2.22.2 on our computer and our package.json contains ^2.22.2 ? – AMAN GUPTA Feb 15 '19 at 10:14
Yes, 2.22.2 contains the 2.9.9 functions – Manuel Spigolon Feb 15 '19 at 10:19
sorry i meant 2.99.9 i.e. a higher version of 2.22.2 – AMAN GUPTA Feb 15 '19 at 10:22
No, you can't: you should set `^2.99.9` in the `dependencies` – Manuel Spigolon Feb 15 '19 at 10:24
so what is the use of saying "^2.22.2" version in my code when a user who has installed 2.21.2 version and want to run my app can`t use its(2.22.2) feature . correct me if i am wrong- ^2.22.2 says that 2.x.x version can run my code as well – AMAN GUPTA Feb 15 '19 at 10:35
If you run `npm list` all will be more clear to you. The power of node.js+npm is that you can have 2 version of `momentjs` in the same application. In your example, a user that installed the 2.21.2 strictly, will download a version for his app and a version (2.22.2) for your dependency. – Manuel Spigolon Feb 15 '19 at 10:42

Bergur · Accepted Answer · 2019-02-15T10:31:24.377

can we use any of version 2.x.x functionality( i.e. we can use the new functions provided by 2.9.9 in our app, though we installed 2.22.2 on our computer)

Just to avoid confusion. You will not install version 2.22.2 on your computer. By saying ^2.22.2, npm will look what is the highest version of 2.x.x and install that version. You will never install version 2.22.2. You will install version 2.24, and when moment updates its packages to 2.25.0, you will install that version. So you will always have the latest verison 2.x.x installed, so you will get the functions of 2.9.9.

are we saying that anyone else who uses our code of app can use any 2.x.x version of "moment" package ?

Yes, you can verify this by checking out package-lock.json which is created by NPM and describes the exact dependency tree. https://docs.npmjs.com/files/package-lock.json

If your package.json is version 1.0.0 and you have 2.22.2 dependency on moment, and do npm install, you will see in package-lock.

{
  "name": "mypackage",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "moment": {
      "version": "2.24.0",
      "resolved": "https://registry.npmjs.org/moment/-/moment-2.24.0.tgz",

    }
  }
}

So everybody that installs your version 1.0.0 of your package will get moment version 2.24

why do I need to install "moment.js" again (i.e. update it) once its installed on my computer –

You don't have to to. But the common rule is to leave node_modules out of repositories and only have package.json. So that when you publish your website to for example AWS, Azure or DigitalOcean, they will do npm install and therefore install everything, every time you publish your website.

To clarify how the flow of packages usually is

You create a package/module with specific verison
I decide to use your package
So I will do npm install (to use your package)
NPM will go through the dependency tree and install versions accordingly.
My website works and I am happy
In the meanwhile you are changing your code, and updating your package.
Few months pass and I decide to change my website. So now when I do npm install (because I updated my code), I will get your updates as well.

can we use the new functions provided by 2.9.9 in our app, though we installed 2.22.2 on our computer and our package.json contains ^2.22.2 ? — AMAN GUPTA, Feb 15 '19 at 10:12
why do I need to install "moment.js" again (i.e. update it) once its installed on my computer — AMAN GUPTA, Feb 15 '19 at 10:20

package.json dependency caret symbol

2 Answers2