The Art of Node/JS Dependency Management

Dependency Management

• Keeping external packages up to date and secure
• Keeping Node up to date
• Choosing good libraries

Why It's an Art

• Third Party libraries open your project up to external forces
• Multiple libraries often share dependencies
• Package ecosystems evolve, change, and rot
• Updating Node often requires package updates
• Dependency hell

Node Release Cycle

• Use Even number (preferably current/active)

• If your JS project isn't Node (ex. a React app), the tooling is

• The Packages and the Node version you're using affect each other

nodejs.org/en/about/previous-releases

NPM

• A Company

• A Package Registry

• A CLI

• Alternative CLIs like Yarn and Bun provide different features and handle resolutions differently than the NPM CLI

Package.json file

• Defines a Node/JS project/package

• Specifies Packages and their versions, Node version, NPM version, resolutions

• scripts provide context for how to run the app and common tasks

Tools

• yarn audit/npm audit - list dependencies with known vulnerabilities

• yarn outdated/npm outdated - list outdated dependencies with the preferred version

Types of Dependencies

• dependencies

• dev dependencies

• peer dependencies

Peer Dependencies

Resolutions/Overrides

Resolutions force a package to be resolved to a certain version, even if a different version is specified by parent dependencies

This is often to resolve security vulnerabilities when shared dependencies can't be updated trivially

• Know the risks

• Sometimes a signal that upgrades are needed

• resolutions in yarn, overrides in npm

Choosing good packages

Ecosystem Health

• Usage

• Github Activity

• Most recent release