Our great sponsors
-
webpack
A bundler for javascript and friends. Packs many modules into a few bundled assets. Code Splitting allows for loading parts of the application on demand. Through "loaders", modules can be CommonJs, AMD, ES6 modules, CSS, Images, JSON, Coffeescript, LESS, ... and your custom stuff.
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
exactify
CLI tool that removes ^ prefix from package.json dependecies and replaces them with specific versions from package-lock.json
But in reality there is no guarantee that new minor version of a package wouldn't break something in your app. This happens even for well-tested and well-maintained packages with large community like Webpack (see issue #8082).
But there is also a much worse problem: security risks. Imagine that a hacker gets access to the NPM account of the owner of some popular package. Publishing a patch version with malicious code would immediately make all the applications using this dependency (or even package that depends on this dependency) vulnerable. You can easily find examples of such attacks by googling 'npm package hack', here is one of them: DeFi Exchange dYdX NPM User Account Gets Hacked
Let me know if you found this useful. If you have any suggestions, feature requests or bug reports, feel free to fill an issue or open a PR on GitHub. Stars are kindly appreciated!