📦 Package: Switch dependency versions to ^ ranges #5114

JoshuaKGoldberg · 2024-03-04T18:59:02Z

Spinning out of #5090: @orgads noted that the package.json versions of dependencies are all pinned to specific versions like 4.1.1 rather than "caret" ^ ranges like ^4.1.1:

mocha/package.json

Lines 53 to 56 in 3345eff

    
           "dependencies": { 
        
             "ansi-colors": "4.1.1", 
        
             "browser-stdout": "1.3.1", 
        
             "chokidar": "3.5.3",

Why is that?

I'm accustomed to ^ ranges to help consumers deduplicate packages. E.g. if a consumer's package requirements are chokidar@^3.5.2 and chokidar@^3.6.0, us specifying chokidar@^3.5.3 would mean they could all resolve to the same package version.

The text was updated successfully, but these errors were encountered:

voxpelli · 2024-03-12T16:13:09Z

I'm a big 👍 to this. It was different in the pre-package-lock.json era, that's when it was good practice to try and lock down dependencies this way, now its better handled by the package-lock.json in our and other's projects.

Maybe implement this on a dependency by dependency basis when we update them? That way we will test that no breakage will occur

JoshuaKGoldberg added the status: in discussion Let's talk about it! label Mar 4, 2024

JoshuaKGoldberg mentioned this issue Mar 4, 2024

chore: update chokidar to 3.6.0 #5090

Draft

voxpelli mentioned this issue Mar 12, 2024

🛠 Repo: Several packages reported by npm audit #5070

Open

5 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

📦 Package: Switch dependency versions to ^ ranges #5114

📦 Package: Switch dependency versions to ^ ranges #5114

JoshuaKGoldberg commented Mar 4, 2024

voxpelli commented Mar 12, 2024

📦 Package: Switch dependency versions to ^ ranges #5114

📦 Package: Switch dependency versions to ^ ranges #5114

Comments

JoshuaKGoldberg commented Mar 4, 2024

voxpelli commented Mar 12, 2024