This risky “version roulette” needed to stop, and so lock files came to be. This assumption of compatibility did not meet the realities of software development, and led to a large amount of “works on my machine” and “broken build” problems, because people in a project could often be running different versions of a dependency -and not only among developers, but also between developers and CI or between CI and production. In what must have seemed like a good idea at the time, people reasoned that “according to SemVer, anything in 1.x should be backwards-compatible, so it’s safe to always install the latest 1.x”. If you defined a npm dependency with a constraint such as ^1.0.0 then it was an instruction to npm to use whatever the latest 1.x was at the time of installation. So then why do people use ranges? Early use of rangesīefore the advent of lock files, you only needed a package.json file. Therefore, the fact that 1.3.0 should be backwards-compatible with 1.2.0 is not changed, regardless of whether you specify exact versions (e.g. It is the SemVer specification that decrees that all 1.x releases should be backwards-compatible with other 1.x releases. The above are all equivalent, but only in npm. Furthermore, npm allows the use of “ranges” (also known as “constraints”). Ranges are not part of SemVerĪs you may already know, npm uses “ Semantic Versioning” (SemVer) to define versions, i.e. However, your choice of constraints can be just as important as your choice for how to update them. You might not have given this much thought before because npm and other clients pick defaults for you. Defining the Ranges and Constraints of npm Updatesīefore you dive into updating npm dependencies, take the time to first reconsider how you define your package versions to begin with. In the following guide we’ll use the term npm to keep things simple, however it also applies almost universally to yarn, pnpm, or lerna.
It starts out with simple concepts to get everybody aligned, and goes on to present cutting-edge approaches to npm dependency management that weren’t available even a year or two ago. This guide will explain why you need to keep your npm dependencies updated, and the most efficient ways to do so. Selecting and installing a dependency with Node Package Manager (npm) is only half the job.
0 kommentar(er)
