This is a super short post with a little semi-pro tip for working with npm packages and production quality builds and importantly: pinning releases.

UK EVENTAttend ffconf.org 2024

The conference for people who are passionate about the web. 8 amazing speakers with real human interaction and content you can't just read in a blog post or watch on a tiktok!

Context: technical post about node projects and npm

By default today, if you run npm install --save foo@1, you'll get a new entry in your package as such:

  "dependencies": {
    "foo": "^1.1.0"
  }

Assuming(!) that the package author is following semver, then you'll get all the fixes (patch) and features (minor) for free upon next install due to the leading ^ character (except in the cases like 0.1.0 or 0.0.1...because "semver" ¯\_(ツ)_/¯ - but the point is, that it's floating).

This might be fine for 3rd party dependencies, but might not work for your own packages. If this was my main application code, and foo was one of my own packages, I'd want to be sure I was installing exactly the version I intend to.

The npm cli has a little known (to me) command --save-exact (or -E) which will save the specific version. In addition, you can create an .npmrc file that's in your project's root directory that contains:

save-exact = true

This will mean that all npm install <pkg> commands will pin to the version that was available at the time you run the command.

Important note this does not guarantee being able to replicate the build. This is because the dependencies of your dependencies won't be pinned. If you need this, then consider either using shrinkwrap or bundleDependencies.