Proposal: Start using only exact npm versions

[yurist38]

Description

Currently we use not the fixed version of out npm-dependencies. It causes a problems sometimes and package.json and package-lock.json are not really synchronized. Idea is to start using only fixed versions.

What needs to be done

Update .npmrc file to install only exact versions
Update package.json with latest versions
Test how it works

Please feel free to put in comments your ideas and concerns about this approach.

[rbardini]

I agree. Using version ranges can cause problems if dependency maintainers do not strictly follow semver, so I usually suggest installing/saving exact versions—although this does not prevent dependencies from using version ranges themselves, which is why enforcing package-lock.json is good practice.

A couple other actions I would suggest:

• Update README to use npm ci instead of npm i.
• Do incremental upgrades of dependencies instead of totally rewriting package-lock.json to minimize dependency tree changes.