This is your sign to pin all package versions
· 2 minYou should always pin your npm package versions. I’m too tired to write a longer post on this, but here are the three main reasons:
- Stability: You don’t want to pull in changes that break your code. (Nobody does
npm ci) - Reproducibility: You want to be able to reproduce the same environment on every machine. (Again: Nobody does
npm ci) - Security: You don’t want to lose everything to a supply chain attack. (Nobody does
npm ci!!)
I have seen this happen again and again to clients who had no idea why their crypto wallets were empty or their credentials stolen. Just now, it happened again on a grand scale with the axios package being hijacked.
None of my projects were affected. That is because I enforce pinning of all npm dependencies.
Pinning is as easy as removing the little ^ from your package.json file’s version numbers. During installation of packages, add --save-exact to your npm command.
Yes, you miss out on “automatic” patch level updates. But you don’t want those anyway, not the least because of possible breaking changes (even with semver in place).
PIN YOUR PACKAGE VERSIONS. And if you can, at all, always run your projects in containers.
(Before you come at me, I am aware this does not offer 100% security. It should still be a best practice.)