It most cases it's not necessary to add a version constraint next to your packages in the package.json
. Since all versions are saved in a lockfile, everyone running yarn install
will get exactly the same versions. Yarn saves this lockfile as yarn.lock
and npm as package-lock.json
.
There are some exceptions, where you can consider adding a version constrain to the package.json
:
yarn upgrade
or npm update
An drawback of this approach is, that adding new packages might also upgrade existing packages. So check your lockfile carefully when submitting a commit. Note that the approach in this card works best, if you use yarn outdated or npm outdated together with yarn upgrade some_package
or npm update some_package
for major updates, before running yarn upgrade
or npm update
on all minor and patch updates.
{
"dependencies": {
"autosize": "^6.0.1",
"unpoly": "^2.7.2"
}
}
autosize
and unpoly
when running yarn upgrade
or npm update
{
"dependencies": {
"autosize": "x",
"unpoly": "x"
}
}
yarn upgrade
or npm update
Note: "unpoly": "x"
and "unpoly": "*"
expresses the same version constraint
{
"dependencies": {
"autosize": "x",
"unpoly": "2.x"
}
}
yarn upgrade
or npm update
will never perform a major unpoly
update unless you change this lineNote: "unpoly": "2.x"
and "unpoly": "^2.7.2"
expresses the same version constraint
Commit message: Fixes CVE-XYZ
{
"dependencies": {
"autosize": ">6.0.0",
"unpoly": "x"
}
}
yarn
or npm
.Commit message: Version 6 of autosize has a bug when rendering large
{
"dependencies": {
"autosize": "<6.0.0",
"unpoly": "x"
}
}
In case you decide switching from "unpoly": "^2.7.2"
to "unpoly": "x"
, you need to manually edit your yarn.lock
, otherwise yarn
will perform an yarn upgrade
within the yarn install
command:
Before:
unpoly@^2.7.2:
version "2.7.2"
resolved "https://registry.yarnpkg.com/unpoly/-/unpoly-2.7.2.tgz#55044c08bce0984c000f7cd32450af39271727de"
integrity sha512-jfBbBRBQMCZZcNS6fckKpFunfdiTDBXW8yxRKqLs09jSrYYUDPd+YuyDoXjABXOro0aDUIMcmyTc7moc1/Z5Tw==
After:
unpoly@x:
version "2.7.2"
resolved "https://registry.yarnpkg.com/unpoly/-/unpoly-2.7.2.tgz#55044c08bce0984c000f7cd32450af39271727de"
integrity sha512-jfBbBRBQMCZZcNS6fckKpFunfdiTDBXW8yxRKqLs09jSrYYUDPd+YuyDoXjABXOro0aDUIMcmyTc7moc1/Z5Tw==
When running npm update
it will change the package.json
and the package-lock.json
.
Before:
{
"dependencies": {
"autosize": "^6.0.1",
"unpoly": "^2.2.1"
}
}
After:
{
"dependencies": {
"autosize": "^6.0.1",
"unpoly": "^2.7.2"
}
}