Version ranges, lockfile, update strategy, supply-chain hygiene. Part of the DevTools Surf developer suite. Browse more tools in the Info / Guides collection.
Use Cases
Developers understanding the difference between ^ and ~ version ranges
DevOps engineers setting up automated dependency update tools like Renovate
Security teams auditing npm packages for known vulnerabilities
Tech leads establishing dependency update policies for engineering teams
Tips
Check the version range syntax to understand ^, ~, and exact pinning
Review the lockfile section to know when to commit and when to regenerate
Use the supply-chain hygiene checklist to audit third-party packages
Fun Facts
Semantic Versioning (SemVer) was formalized by Tom Preston-Werner (GitHub co-founder) in 2009 as a specification to solve 'dependency hell.'
The npm registry surpassed 3 million packages in 2024, making it the largest software package registry in the world — over 3x the size of PyPI.
The event-stream supply-chain attack in November 2018 injected malicious code into a package with 2 million weekly downloads, stealing cryptocurrency wallet keys.
FAQ
What does ^1.2.3 mean?
Compatible with 1.2.3 but less than 2.0.0. Minor and patch upgrades OK; major upgrades blocked. The npm default; matches SemVer's 'compatible' definition.
And ~1.2.3?
Compatible with 1.2.3 but less than 1.3.0. Only patch upgrades. Stricter than ^ — useful when minor releases have broken you.
Should I commit package-lock.json?
Yes — it pins exact versions for reproducible installs. Without it, every `npm install` can pick up new transitive versions.
How often should I update?
Weekly for security patches (Dependabot helps). Monthly for feature updates. Big version bumps on your schedule. Never skip security updates for more than a sprint.
