This is what you want to happen. The alternative is, you shrinkwrap everything a...

iamsohungry · on Nov 11, 2015

> This is what you want to happen.

Uh, no, I don't want my dependencies to break out from under me, thanks.

This is a major problem with the JS culture that I cannot stand. Too many JS devs can't be bothered to write software that doesn't suck, and so they try to instead tell their users their crappy problems are actually what they want. No, if you push changes to a library that break your library users' software without warning and a reasonable upgrade plan, you're doing a bad job.

> The alternative is, you shrinkwrap everything and lock it down, and your dependencies never change.

Or I use dependencies that upgrade their dependencies intentionally instead of whenever the `^` does it for them. The problem is that most of the JS packages out there are garbage software that doesn't do that. So it's necessary to be careful and only use dependencies which are well-maintained and reliable. ...which isn't unique to npm or a new problem, it's been well-known since all the way back when CPAN was new. Just because installing libraries is easy doesn't mean it's a good idea.

> Except that now it's been a year, and you want to update your dependencies, and it's this huge jump that requires so many changes that it's going to take a month of concentrated pain to do, so you never do it, and welcome to the world of legacy code.

Or you can do your job like a competent professional and don't wait a year to upgrade your dependencies. Again, fewer, more reliable dependencies helps with this; if you are using reasonable dependencies, they'll push few breaking changes and give warnings and reasonable upgrade plans.

k__ · on Nov 12, 2015

So true...

But I have to admit, the problems I mentioned only occur about once a month and only cost a few hours to fix and we have over 100 dependencies.

If we wouldn't use so much third party stuff we would probably end up fixing this every few months, which is okay-ish.