I am a frontend focused full-stack developer with over 20 years of experience. I enjoy developing such smooth web apps and content websites that even my dad could use them.
Location
Berlin, Germany
Education
Tel Aviv University
Work
Senior Software Developer / Consultant @ Wunderdog Berlin
Pinned dependencies are packages which are fixed package versions. This is not recommended since the package will not get latest updates.
While I understand the intention here, this presents certain issues that need to be taken into account.
Sometimes package updates include breaking changes or new bugs. Therefore, if the version number isn't fixed in package.json, that means the code may break due to a package update.
Therefore, I would actually recommend to pin the dependencies. This also ensures that all the developers working on the project are using the same package versions thus providing the same features and running the same code. Otherwise, the developers are practically working on a different codebase.
A better practice to update packages would be to use a tool like npm-check-updates. Then to try and install the latest versions from time to time in a separate branch and check whether the code still works or if it breaks, fix whatever is necessary, and merge back to main. It's also possible to somewhat automate this in the CI/CD workflow with tools like Dependabot.
Hi Ido! I completely agree, in this article I tried to cover the basic points without going too deep. Ideally we would not have to worry about breaking changes if we follow SemVer correctly, but in reality there are package updates which introduce breaking changes which sometimes not even the package maintainers are aware of. In this case, it will be best to pin dependencies, but should be used as the last resort.
I disagree on always pinning all dependencies since the dependency tree will keep updating anyway, and any security fixes in the package updates will be missed. But these priorities change depending on the type of project we're working with. I think there is no right-wrong answer here, but a discussion on the matter is important.
Thank you for your input. I wasn't aware of the tools you have provided. Will take a look at them!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
While I understand the intention here, this presents certain issues that need to be taken into account.
Sometimes package updates include breaking changes or new bugs. Therefore, if the version number isn't fixed in package.json, that means the code may break due to a package update.
Therefore, I would actually recommend to pin the dependencies. This also ensures that all the developers working on the project are using the same package versions thus providing the same features and running the same code. Otherwise, the developers are practically working on a different codebase.
A better practice to update packages would be to use a tool like npm-check-updates. Then to try and install the latest versions from time to time in a separate branch and check whether the code still works or if it breaks, fix whatever is necessary, and merge back to main. It's also possible to somewhat automate this in the CI/CD workflow with tools like Dependabot.
Hi Ido! I completely agree, in this article I tried to cover the basic points without going too deep. Ideally we would not have to worry about breaking changes if we follow SemVer correctly, but in reality there are package updates which introduce breaking changes which sometimes not even the package maintainers are aware of. In this case, it will be best to pin dependencies, but should be used as the last resort.
I disagree on always pinning all dependencies since the dependency tree will keep updating anyway, and any security fixes in the package updates will be missed. But these priorities change depending on the type of project we're working with. I think there is no right-wrong answer here, but a discussion on the matter is important.
Thank you for your input. I wasn't aware of the tools you have provided. Will take a look at them!