I've been reading about the latest NPM madness with a gigantic bowl of popcorn in hand. 🍿 Who thought it would be a good idea for NPM to automatically "upgrade" dependencies to newer versions? Version pinning should be the default behavior, like other sane environments do (eg Java, Rust).


In fact, here's an angry rant comment I left in a JS-based build system about a year ago:

"Always explicitly pick versions for all JS dependencies!!

The Kotlin front-end plugin will warn us if we try to add a dependency without a version.
Don't ignore those warnings, you'll regret it later if you do.


Tragically, the default behavior for npm is to automatically download newest
versions of libraries even when rebuilding an existing project!!
Naturally, this creates unexpected bugs when OF COURSE your code isn't
automatically compatible with newer versions of your dependencies.



Even worse, the version you didn't know you were depending on gets overwritten by the rebuild
so you can't go look it up after you suddenly realize you need it.
The only way to restore working order to your project is to guess what version you depended on
for each end every dependency that's now broken by an unexpected (and unwanted) update.


· · Web · 1 · 0 · 0

Thankfully, the newest Kotlin/JS gradle plugin uses yarn,
which will ossify dependency versions into a yarn.lock file.
Use the `backupYarnLock` gradle task to export the dependency versions into source control."

4/4 fin!

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!