Protecting your product with npm ‘save-exact’
There’s no question that npm and node have a massive open-source ecosystem backing them. Each day brings hundreds of new packages and thousands of updates to existing ones.
With a simple npm install
we can grab any package we want.
npm install --save joe-schmoes-library
NPM, by default, will save this to our package.json.
// ...
"dependencies": {
"joe-schmoes-library": "^3.4.11"
}
// ...
The ^
means that any time we run npm install
again, npm will only update or dependency if there is a minor or patch change in the semantic versioning. NPM also provides a ~
substitute if we only want patch modifications.
Semantic versioning is robust. It provides flexibility for the package developer to make features and bug fixes without negatively affecting the consumers with a major (breaking) change. The catch with NPM and semantic versioning is that we have to trust the developers who update the code to do the right thing.
Unfortunately, trusting open source developers can be a problem. Nothing stops a developer from making a breaking change during a bug fix.