Question about dependencies

[callumlocke]

(I searched for duplicates, apologies if this has been discussed before.)

The package.json files in Next.js and styled-jsx omit the conventional ^ on dependency versions.

Why is this? I'm guessing it's intentional, as it seems to be this way on multiple Zeit projects, and you obviously know what you're doing.

Why it causes a problem for me: I'm making a Next.js website. I found a bug coming from Stylis the other night, and it got fixed by @thysultan quickly. But then I had to wait for styled-jsx to be republished, which happened the next day. And Next.js is still not republished (at time of writing), so I'm still blocked until that happens.

If it's a defence against regressions in dependencies, FWIW, it seems like opting out of automatic patches does more harm than good. I know patch releases can sometimes introduce regressions, but they fix bugs more often. The approach would make sense to me if you had an automated nightly test-and-republish system to ensure you pick up patches quickly, but this doesn't seem to be in place – for example, until a few hours ago, styled-jsx was fixed to a two-month-old Stylis version (3.2.8), from July 24. Stylis has released 10 patches over that time, and none of them made it into styled-jsx until 5 hours ago. (And they're still not in Next.js.) On balance, wouldn't it make more sense to use ^?

[connor-baer]

This PR might shine some light on the decision to use strict dependencies: #2929

Since we use greenkeeper we get PRs when there is an update

[callumlocke]

@connor-baer interesting, thanks.

But the Greenkeeper strategy doesn't seem to be working. Next.js is still fixed (via styled-jsx) to a two-month old version of Stylis, which has had ten patches sense then.

[timneutkens]

@callumlocke Flat out, this is mostly my fault, I need to keep up with outdated packages 😄, creating a PR now!

Fyi greenkeeper was disabled cause of issues with NPM as far as I've heard from Leo :)

[radeno]

Is strict version really necessary? It bloating dependencies so much.
It isn't about GreenKeeper use never version. It does but how much you need to release new version? :)
It is about that many other modules uses same dependencies but with different version.
If you freeze on exact version then there could be two dependency of same module. Maybe you can define lower version with caret. But caret is too verbose and allows change minor version.

I think tilde ~ is best option, because tilde allows only different patch level and could help to remove not necessary different dependencies of exact versions.
https://docs.npmjs.com/misc/semver#tilde-ranges-123-12-1

[radeno]

I did some research.
Clone current master repo. Do yarn install / yarn upgrade with strict version then with same tilde version.

There is diff:
https://gist.github.com/radeno/004d5c1547eb9a41062d590668c74b68

As you can see many dependencies use never patch version, what is great because it can be critical fix or something like that.
One different is with "pretty-format" because "lint-staged" module locked it to exact version.

EDIT:

Test is only with NextJS dependencies, it not cover production app where difference will be probably disadvantage to strict version.

[callumlocke]

@timneutkens thanks for upgrading the dependencies. But won't this just keep happening?

No one has answered my question: Why doesn't Zeit simply follow the Node.js convention of defaulting to ^ for version ranges?

[ide]

Another thing the pinned dependencies does is make it more difficult for Yarn or npm to dedupe dependencies, which makes for larger node_modules directories and larger bundles in some cases.

[lock]

This thread has been automatically locked because it has not had recent activity. Please open a new issue for related bugs and link to relevant comments in this thread.