For a long time I’ve been listing my package.json dependencies the right way. The best practices from that article are to use wildcars for the patch version: 0.1.x. The reasoning for this is that patch version updates are usually bug fixes or optimizations. Meaning the module is safe to update. Minor and major updates might contain API changes, which can break our app.

But the world isn’t perfect. Not everyone follows semver specifications all the time. Therefore we must make our package.json dependencies a little bit more explicit.

The shrinkwrap npm command was born earlier this year. It allows an app to specify exactly what version of each dependency it needs to install. Including deeply nested dependencies. npm help shrinkwrap for more info. But if you’re a little bit more optimisitic like me, and want to continue installing patch updates, keep reading. :)

I propose favoring tilde (~) style versions: ~0.1.2. What this means is it will download patch version updates and ignore major and minor updates. It’s the same as 0.1.x. But this time, you have a reference to the exact version you used when you decided to depend on that module and test your app.

I prefer this style of versioning in case my app’s tests happen to fail due to a module update. During which I’ll have a reference to the last version that I know it worked with. I know this does not happen often because most module authors do follow semver closely. But it happened to me recently, and it happened with one of the most depended on modules.