DEV Community

Discussion on: Don't trust SemVersioning in NPM Modules

Collapse
 
graingert profile image
Thomas Grainger

Or just use the automatic package-lock.json like everyone else...

Collapse
 
henryjw profile image
Henry Williams

Good point. I was under the impression that when a new version of the package is released, the dependency tree would be regenerated for the newest version. But after running some tests, it looks like that's not the case; once a version is specified in the package-lock.json, it won't be updated if it fulfills the required version; E.g., 0.24.0 fulfills the requirement for 0.x, so even if 0.25.0 is released, npm will continue to install and use 0.24.0.

Collapse
 
graingert profile image
Thomas Grainger

Yep, otherwise package-lock.json would be totally useless

Collapse
 
trusktr profile image
Joe Pea

That hasn't always been the case, and if that is what you want that is why they recommend using npm ci instead of npm install so that package-lock.json will absolutely dictate which dependencies you install.

Thread Thread
 
trusktr profile image
Joe Pea

I mean,even if in theory npm install installs based on package-lock.json, it hasn't always been the case, and has varied from version to version of npm, and once you have a valid package-lock.json, npm ci is THE way to guarantee you are installing based on it.

No good, I know!