[DrJokepu]

I mean, don't use `npm install --save` then. I'm not really sure why people started using it in the first place, it's such a lazy thing to do. Instead, add it to your package.json yourself with the exact specific version you want (none of the ^a.b.c funny business).

[Silhouette]

Instead, add it to your package.json yourself with the exact specific version you want

Unfortunately, the same problem then arises for your dependencies. If any of them don't specify exact versions, you are still vulnerable to getting uncontrolled changes.

This is why things like npm shrinkwrap exist, but it's still crazy that NPM's default behaviour is the uncontrolled case.

[DrJokepu]

Yes, libraries should specify exact versions as well, it's insane that they don't.

[madeofpalk]

or rather, npm install --save-exact :)

then upgrade with npm shrinkwrap

[igl]

echo "save-prefix=''" > ~/.npmrc

[inglor]

When I bootstrap code I npm install --save, I have 10 packages I usually need right off the bat and I don't want to start an investigation every time I do this.