Pinning your dependencies in Javascript projects
Get closer to reproducible builds in your Javascript projects
When creating a new NodeJS project, it's a good idea to do these two things first:
Pin the project's node version using nvm
# This will pin the project's node version to the current latest LTS versionnvm use --ltsnode -v > .nvmrc
nvm (docs) is the Node Version Manager. It allows you to install and switch between different versions of node.
The commands above adds a .nvmrc file to the project that indicates which version of node the project requires.
The next time you come back to the project,nvm use will use this version of node.
Add save-exact to the .npmrc file
echo "save-exact=true" >> .npmrc
This means that when I install a dependency using npm install, it will pin the exact major.minor.patch version of the dependency to the package.json file.
It's the equivalent of always adding the --save-exact flag (docs) to every npm install command.
Why?
If you read complaints about people struggling to rebuild a NodeJS project that they haven't touched in a while, the most common reasons are:
- They are using a different version of node from what they were using originally.
- They didn't pin their dependencies, and now some of the newer dependencies are breaking their build. By default,
npm installinstalls^versiondependencies, which only pins the major version of the dependency. Unfortunately, a lot of dependencies do break on minor or patch versions.
These two steps prevent both of these issues.
Caveat
This only applies to application projects, not library projects.
If you are building a library that will be used by other projects, you absolutely should not pin your dependencies, because you want to allow flexibility for consumers of your library to use the versions they want.
Like this article? Follow me on Bluesky or subscribe to the RSS feed to get notified about new articles.