Can fixed package.json versions change?

Question

I have fixed versions in my package.json - all of my packages look like this:

"dependencies": {
    "@apollo/client": "3.6.4",
    "bootstrap": "4.6.2",
    "graphql": "16.5.0"
}

Note the lack of ^ and ~ from the packages.

But pipeline build stages that previously passed are failing, and I'm trying to run down the cause.

Is there ANY possibility that there could be a code change (specifically in the package-lock.json) of those dependancies, or are they static once they've been published?

Answer 1

The package-lock.json file is intended to make sure that the version that you install in production is EXACTLY the version that you installed (down to the commit sha). You use npm-ci to install the EXACT version, this is typically only used in CI environments.

In earlier versions of Node.js, the package.json file did not provide a way to lock down the specific version of each dependency that a project was using. This meant that when a project was deployed or shared with others, there was a risk that different developers or machines would use different versions of the same dependency, which could cause compatibility issues or unexpected behavior.

package-lock.json file is like a one-stop solution of your entire problem. package-lock.json is a file that is automatically generated by npm when a package is installed. It records the exact version of every installed dependency, including its sub-dependencies and their versions.

The purpose of package-lock.json is to ensure that the same dependencies are installed consistently across different environments, such as development and production environments. It also helps to prevent issues with installing different package versions, which can lead to conflicts and errors.

package-lock.json is created by npm when you run the npm install command. It contains a detailed list of all the packages, their dependencies, their specific version numbers, and locations (usually mentioned in the package.json file)

If you are working in a team, it is important to commit package-lock.json to your version control system along with your code so that all team members have the same dependencies installed. When another developer clones the project, they can simply run npm-install to install the same packages and versions specified in the package-lock.json file.

https://www.atatus.com/blog/package-json-vs-package-lock-json/

So the answer is that yes, they can change a little but if you use a lock file and npm-ci you won't have to worry about it.

We use Renovate to automate upgrades to newer versions, it's much better than npm upgrade.