Javascript dependency management with Package.json

Tech
1

As began from Better JS dependency management with yarn, we use Yarn to install javascript dependencies specified in package.json, and lock version numbers in yarn.lock to ensure all environments are using the exact same versions.

We use Dependabot to suggest updates whenever a new version is released. Currently, it is configured to respect all versions specified in package.json, with lockfile-only (see comments about it here)

Most of the versions specified in package.json only accept a minor update (denoted by ^). So, based on my understanding, we would not be notified of major version updates and could be missing out.

But apparently this is the industry-standard way to do it, and Yarn automatically adds the restriction (eg yarn add react => "react": "^18.2.0", ).
I believe Dependabot can be configured for this, to suggest updates to package.json.

So I think we need to make a choice:

  1. Continue to have version restrictions in package.json as per industry standard, and configure Dependabot to suggest updates
  2. Remove version restrictions from package.json, and Dependabot will suggest updates to the lockfile only (this is how we manage Ruby gems in Gemfile)

Is this correct, have I summarised the current state correctly?
Does anyone have a reason to suggest option 1 or 2?

2

I tried removing all version restrictions from package.json and running yarn install. It’s hard to quickly analyse the updated yarn.lock file, but I can see:

mrujs was stuck @^0.7.4: version "0.7.4"
When unrestricted, it updated three minor versions: mrujs@*: version "0.10.1"

There are two others which we’re probably aware of already: Foundation and Webpacker (and related packages)

I was surprised there wasn’t more actually, so I guess it’s not that big a deal!

3

If I may add my opinion, I like the Gemfile way, because then we can specify only version restrictions that matter, ideally with a comment explaining why. Eg:

gem 'highline', '2.0.3' # Necessary for the install generator

But JSON doesn’t support comments so we couldn’t do that anyway.

If it’s the yarn default and apparently industry standard, I would suggest option #1.

4

Perfect summary @dcook ! Thanks

I would suggest option #1 as well, for the same reasons actually.

5

Okay, option one it is. It’s basically allowing Dependabot to upgrade everything. That’s our goal with gems, too, but we still need to resolve some issues to get to the most recent versions.