By default npm install will use the caret (^) notation when installing a dependency. For example, if you run:
npm i jsonwebtoken
npm will add the following dependency to your package.json:
"jsonwebtoken": "^9.0.0"
which is equivalent to "jsonwebtoken": "^9" (why are they wasting valuable characters?).
This means that npm can install any version greater or equal than 9.0.0 but less than 10.0.0.
In theory this should work because the SemVer specification says that the minor version (second number) should be backwards compatible.
In practice, however, library authors don't follow this rule strictly and can cause a lot of headaches.
Another option would be to use tilde (~), which only allows the patch version (third number to change):
"jsonwebtoken": "~9.0"
In this case npm can install versions greater or equal than 9.0.0 but less than 9.1.0.
This is safer and the option I would suggest. You can configure npm to use this option with the following command:
npm config set save-prefix "~"
However, keep in mind that newer patch versions can also introduce other bugs, so if you want to be completely safe you should use an exact version:
"jsonwebtoken": "9.0.0"
And use a tool such as Renovate to update your dependencies.
Top comments (0)