Use fixed package versions in node.js projects

As you probably know, through the package.json file, you can specify the dependencies of a node.js project. The node package manager allows for much flexibility regarding which version of a dependency you want in your project.

My heartfelt advice is to let go all of this flexibility and use fixed versions for your dependencies.

When you use fixed versions, running npm install will yield the same result every time – this quality is known as idempotence.

In practical terms, this means that dependencies will never stop working if they were working before. I have seen two projects experience multi-day delays during frantic circumstances because a dependency was updated in a way that would crash the application.

The benefits of auto-updating dependencies are vague and unpredictable, even using semver and allowing only patch updates. The fact that you must run npm install explicitly makes it very likely that the dependencies in your dev machine will remain un-updated (and working), while all the updates (including possibly breaking ones) will be performed on the machines to which the application is deployed.

The question arises: which version should you use for each project? Unless you have special needs, just use whatever the latest version you find at the time of adding the package to the package.json file. You can find this by entering the command npm show PACKAGE version.


Figure 1 (below): a happy and idempotent dependencies object for a node.js project.


{"dependencies": {
   "foo": "1.0.0",
   "boo": "2.0.1",
   "wee": "3.4.2"