Shrinkwrap dependencies and remove carrots from package.json #654

Closed
garretto opened this Issue Oct 10, 2016 · 2 comments

Projects

None yet

2 participants

@garretto

Today eslint-plugin-react was updated and had bug - yannickcr/eslint-plugin-react@d0dfc07

This caused all of our builds to start failing since we npm install for every new build.

To fix this, I propose this package remove all carrots from dependency versions, e.g.
"eslint-plugin-react": "6.0.0", instead of "eslint-plugin-react": "^6.0.0", and include a shrinkwrap file - https://docs.npmjs.com/cli/shrinkwrap

We are now shrinkwrapping our dev dependencies at my company to prevent this issue in the future. But I think it'd be a good idea within this dependency as well for others.

@feross
Owner
feross commented Oct 10, 2016

Sorry your builds got broken. I do think that on the whole, having loose dependencies has been good for standard. We feel the pain acutely when semver is violated, but we don't appreciate all the times that bugs get fixed for free.

I think one improvement to the situation is to switch to ~ instead of ^. This is slightly more conservative, and would have prevented the breakage you experienced today. We use ~ already for ESLint since minor versions are more likely to introduce incompatibilities than patch versions.

@feross feross added a commit that referenced this issue Oct 10, 2016
@feross Dependencies: Use ~ instead of ^.
Fixes: #654

I think one improvement to the situation is to switch to ~ instead of
^. This is slightly more conservative, and would have prevented the
breakage described in the above issue. We use ~ already for ESLint
since minor versions are more likely to introduce incompatibilities
than patch versions.
99a1d90
@garretto

👍 thanks for the quick response

@feross feross closed this in #655 Oct 10, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment