|
|
|
|
|
|
by debazel
225 days ago
|
|
|
npm will not upgrade transient dependencies if you have a lockfile. All the `forzen-lockfile` or `npm ci` commands does is prevent upgrades if you have incompatible versions specified inside of `package.json`, which should never happen unless you have manually edited the `package.json` dependencies by hand. (It also removed all untracked dependencies in node_modules, which you should also never have unless you've done something weird.) |
|
|
I switched to pnpm as my preferred package manager a couple of years ago because of this, and even that still requires explicit specification.
It was an unpleasant surprise, to say the least.