There once was a good ol’ boy.
Grew up fixing things with instinct and duct tape,
built his apps the same way:
solid, fast, and no time to waste.
(this poem was created by chat-GPT, i don’t hide)
One day, though, he had to delete his package-lock.json.
Maybe it got messed up. Maybe Git went weird. Maybe he just wanted a clean install. So he did what any of us would do:
rm package-lock.json && npm i
But that’s when the snake bit the horse.
Because somewhere in his package.json, hiding in plain sight like a viper 🐍 in the grass, were these little traps: ^1.2.3, ^6.0.1…
They looked harmless; just caret (^) versions. But those carets were telling npm:
“Yeah, sure, install the latest minor version. What could go wrong?”
And the internet, as always, did moved on.
A dependency of a dependency had released a “compatible” update.
Except it wasn’t.
A function behaved differently. The app crashed. Logs were useless. He didn’t even touch his code, and still… it broke.
All because of a version upgrade he didn’t control.
Cause ^6.0.1 isn’t safe, 6.0.1 is what you do want.
See ya, old buddy.
Other cases i can think of where ^ are going to bite you.
-
CI suddenly start failing: everything works locally. But a new version of a sub-dependency makes your tests fail. You waste hours debugging, thinking you broke something.
- Two devs. Same codebase. Different
node_modulesbecause of^pulling different versions. One dev gets a bug. The other can’t reproduce it. - Breaking changes hidden in “minor” updates. If hte
npmpacakge don’t followsemver. They might introduce breaking changes in a1.4.0that’s technically “safe” for^1.2.3(but it isn’t).
- Two devs. Same codebase. Different
How to protect your buddy solve this:
check this script:
it will
