Use ^ in package.json for version numbers

[kachkaev]

I noticed that the dependency versions in package.json are fixed, e.g. "chalk": "2.1.0" instead of "chalk": "^2.1.0". I might be wrong but this may cause duplicates in the front end bundles if the same package is being referred from somewhere else (e.g. as "chalk": "^2.3.0"). Not sure there is any benefit from hard-locking the versions, so how about using ^? This will allow for any library version higher than the given one, but smaller than the next major version.

If there's a need to ensure that the dev dependencies are stable in CI, package-lock.json can be added to the source control. WDYT?

[SimenB]

#46 (comment)

[af]

I've been reading up on this to see if my thinking needs to be updated here. My position has been that pinning to exact versions isolates envalid from accidental breakage when its dependencies bump versions. Since this is primarily a server-side library, the duplicated package issue is not a big deal, and to me the benefits of getting "the latest" dependencies is negligible (we can always bump manually if there are features/bugfixes we want to leverage). Are there any other reasons to prefer floating versions with ^?

[af]

Closing for now, but more than happy to continue the discussion and re-open as needed