Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm borderline infuriated that this isn't the default way that npm works. Maybe if people didn't willnilly break things and followed semver, it'd be okay, but I waste too much time bisecting why some package that used to work is blowing up my build or failing in less obvious ways.

But I'm a crusty almost-30 .Net developer used to Nuget.



npm does maintain a lockfile for you by default since npm 5, if that's what you mean.

There really is no reason to be encountering surprise sub-dependency changes with npm.


Happens all the time when package.json defaults to foo: "^1.2.3", and some bozo does breaking changes in 1.2.5.


If you have a package lock, even caret in package.json won't automatically install it.


> Happens all the time when package.json defaults to foo: "^1.2.3", and some bozo does breaking changes in 1.2.5.

No it doesn't. Since npm 5, npm is lockfile-by-default, you don't get updates unless you ask for them. Whether one particular package correctly respects semver is irrelevant.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: