I've recently started using exact versions in my package.json. This allows me to have more control over my versions and with tools like Renovate this is easier than ever.
What is an exact version?
"react": "^16.0.0" // carat: allow 16.1.0
"react": "~16.0.0" // tilde: allow 16.0.1
"react": "16.0.0" // exact: only 16.0.0
Why
Renovate has great documentation on why you would do this dependency-pinning
How
There are two ways to force npm or yarn to save exact versions in your package.json.
1. Everytime you install a package
// npm
npm install --save --save-exact react
// yarn
yarn add --exact react
2. Set a default in your config
npm config set save-exact=true
This adds save-exact=true to your .npmrc
Top comments (1)
In my opinion, this really should be the default behaviour of all package managers. Having packages that update when running
npm installis great for keeping packages from security breaches but semantic versions are not enforced and some maintainer do push breaking changes on minor or patch version and it becomes a nightmare to debug each one of the updated package when this happen. Installing exact versions does allow a more fine control over which packages should be updated or not. This is why it should become the default behaviour in my opinion.