There was already discussion on that: https://groups.google.com/d/msg/nodejs/Dj8QZ-5qHoM/91ngmxr0NHsJ
My approach is following: For generic packages: Never include node_modules within .git, just maintain well configured package.json For final projects: Include all content of node_modules within .git. (If there are dependencies that require compilation make sure to not include compiled builds (ignore `build` folders). On regular basis (every 1-2 months) main project developer should update all outdated dependencies to latest versions and test whether they don't break project. Such workflow assures that: - All developers works on exactly same setup (no minor version differences) - Makes your project installable without internet connection - Makes any version of your project installable in years to come. You cannot be sure of NPM state in 5 years, or whether all packages you use now will still be there. All you will need then is that old version of Node.js and code from your repository. > Are people just updating to latest modules without reviewing the changes? Most projects hosted on NPM apply to semver rules -> http://semver.org/ Thanks to that you shouldn't be scarred to do any minor version upgrade, they should just work, but when doing major version upgrade, you should carefully review changes and if needed update your code so it works with the updated module. Mariusz On Wednesday, August 14, 2013 8:18:51 AM UTC+2, Benjamin Pasero wrote: > > Hi, > > I would like to hear from others how npm dependencies are managed. I am > typically doing this: > - use npm shrink wrap > - check in to git only that file but not the modules > - once per iteration check for updates to all modules and decide to update > or not > > The issues I am seeing with this approach are: > - I am typically not able to update my shrink wrap file with newer > versions unless I recreate the file from scratch when many versions have > changed. this means once per iteration this file might change a lot with > many version updates > - I have to manually review the changelog (if provided) of each used > module and decide on a case by case to update or not. if I do so, it might > bring in lots of updates from dependent modules. some modules might not > even be managed anymore > - there is no notification mechanism when a library was updated e.g. for > security fixes > > Are people just updating to latest modules without reviewing the changes? > > One solution for me is to greatly reduce the number of dependencies I am > using. going down from 20 to like 6 helped a lot managing the dependencies > better, but this is not a real solution. > > I am actually missing good old Apache style libraries I guess from my Java > times. > > Ben > > -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
