|
|
|
|
|
|
by throwanem
3533 days ago
|
|
|
Because you can only specify exact versions for your top-level dependencies. Whether or not they pin versions of their own dependencies is up to their own maintainers; you can't control it from package.json. And, while a lot of npm packages adhere to semver and avoid shipping breaking changes on minor version number bumps, a lot of npm packages don't. So you can get hosed through no fault of your own by an Nth-level dependency. 'npm shrinkwrap' solves this by pinning the currently installed versions of everything under node_modules/, regardless of dependency depth. Yarn does the same thing, but by default rather than, as with npm, an optional extra. There's an argument to be made that the correct place to shrinkwrap, if you want to, is in your build process. But I suspect that, in practice, Yarn defaulting to it will prove a net positive, albeit a bit of a speedbump for people looking to do turnkey migrations from npm. |
|
|