The Art of Node/JS Dependency Management
Dependency Management
- Keeping external packages up to date and secure
- Keeping Node up to date
- Choosing good libraries
Why It's an Art
- Third Party libraries open your project up to external forces
- Multiple libraries often share dependencies
- Package ecosystems evolve, change, and rot
- Updating Node often requires package updates
- Dependency hell
Node Release Cycle
-
Use Even number (preferably current/active)
-
If your JS project isn't Node (ex. a React app), the tooling is
-
The Packages and the Node version you're using affect each other
nodejs.org/en/about/previous-releases
NPM
-
A Company
-
A Package Registry
-
A CLI
- Alternative CLIs like Yarn and Bun provide different features and handle resolutions differently than the NPM CLI
Package.json file
-
Defines a Node/JS project/package
-
Specifies Packages and their versions, Node version, NPM version, resolutions
-
scripts provide context for how to run the app and common tasks
Tools
-
yarn audit/npm audit - list dependencies with known vulnerabilities
-
yarn outdated/npm outdated - list outdated dependencies with the preferred version
Types of Dependencies
-
dependencies
-
dev dependencies
-
peer dependencies
Peer Dependencies
Resolutions/Overrides
Resolutions force a package to be resolved to a certain version, even if a different version is specified by parent dependencies
This is often to resolve security vulnerabilities when shared dependencies can't be updated trivially
- Know the risks
-
Sometimes a signal that upgrades are needed
-
resolutions in yarn, overrides in npm
Choosing good packages
Ecosystem Health
-
Usage
-
Github Activity
-
Most recent release
The Art of Node/JS Dependency Management
By gpspake
The Art of Node/JS Dependency Management
- 112