Managing JavaScript dependencies
- Use Yarn for JavaScript dependencies management.
- Always save the yarn.lock file in your code repository.
Version locking
- Use Caret Ranges for locking packages.
- Use specific version locking when necessary (e.g. new version is incompatible or introduces bugs).
- When locking package to a specific version, provider reason why package was locked. Since package.json file does not support comments, add separate block with lock information:
{ "lock-reasons": { "jquery": "new version breaks stuff" }, "dependencies": { ... "jquery": "2.2.4" ... } }
Updating packages
- Use
yarn outdatedto find out which packages are outdated. - Use
yarn upgradeto update all packages, while respecting version locking. - Avoid using
yarn upgrade package1oryarn upgrade package2@versionto update specific package, since it ignores version locking.