The Art of Node/JS Dependency Management

Dependency Management

  • Keeping external packages up to date and secure
  • Keeping Node up to date
  • Choosing good libraries

Why It's an Art

  • Third Party libraries open your project up to external forces
  • Multiple libraries often share dependencies
  • Package ecosystems evolve, change, and rot
  • Updating Node often requires package updates
  • Dependency hell

Node Release Cycle

  • Use Even number (preferably current/active)

  • If your JS project isn't Node (ex. a React app), the tooling is

  • The Packages and the Node version you're using affect each other

nodejs.org/en/about/previous-releases

NPM

 

  • A Company

  • A Package Registry

  • A CLI

 

  • Alternative CLIs like Yarn and Bun provide different features and handle resolutions differently than the NPM CLI

Package.json file

  • Defines a Node/JS project/package

  • Specifies Packages and their versions, Node version, NPM version, resolutions

  • scripts provide context for how to run the app and common tasks

Tools

  • yarn audit/npm audit - list dependencies with known vulnerabilities

  • yarn outdated/npm outdated - list outdated dependencies with the preferred version

Types of Dependencies

  • dependencies

  • dev dependencies

  • peer dependencies

Peer Dependencies

Resolutions/Overrides

Resolutions force a package to be resolved to a certain version, even if a different version is specified by parent dependencies

 

This is often to resolve security vulnerabilities when shared dependencies can't be updated trivially

 

  • Know the risks
  • Sometimes a signal that upgrades are needed

  • resolutions in yarn, overrides in npm

Choosing good packages

Ecosystem Health

  • Usage

  • Github Activity

  • Most recent release

The Art of Node/JS Dependency Management

By gpspake

The Art of Node/JS Dependency Management

  • 112