Image for post
Image for post

How should you pin your npm dependencies and why?

Getting in-depth on making your application updated and safe

Niccolò Belli
Mar 7, 2019 · 8 min read

What is pinning and why is it so important?

Why did package managers default to semver?

What happens when semver fails?

Tests can fail either

Downsides of pinning

Automation

Libraries

Upgrade noise

How to pin packages

package.json and the sub-dependencies problem

Image for post
Image for post
Even if we pin @angular/compiler-cli we would still be exposed to dozens of sub-dependencies

lock files to the rescue

Why not both?

Conclusion

An important note about libraries

The Guild

The Guild

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store