Pin packages

[macabeus]

Is strongly recommended to pin the packages on package.json file, in order to avoid auto-upgrade, because it could break the application.

For example, instead of "showdown": "^1.9.1", is safer to write just "showdown": "1.9.1" (without ˆ).

[LorhanSohaky]

I believe that npm-semver and package-lock.json guarantee this.

Caret Ranges:

• ^1.2.3 := >=1.2.3 <2.0.0
• ^0.2.3 := >=0.2.3 <0.3.0
• ^0.0.3 := >=0.0.3 <0.0.4

Package-lock:

It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.

[macabeus]

But it only works if the package maintainer's really set correctly the semantic version. And not, there are moments that they make mistakes, or on situations that "this is a very small edge case, let's add it as a minor", but it could break someone.

For example: on a release, express decided to add an exception when someone use the encoding utf8 instead of utf-8. It's a break change, but the guys decided to add it as a minor.