Overall

  • Use "de facto" standards packages. With a thriving community and consistent updates.
  • Never modify libs/packages directly. Choose another lib or work around it. Make contributions to that lib.
  • Explicit specify the exact package version. No "~" or "^" in package.json.
  • What's the alternative? What if a massive issue is revealed in that must-have lib you are using and the only solution is to update. Why not sit back and be able to focus on customer demands.

Caveats/Issues

  • Who will pay? In the end the customer. The extra work this takes will rarely take more than a couple of minutes but will benefit the developers and the customer in the long run.
  • I have urgent work that cannot wait! Then skip this step, for now, hey it's here to help and not mandatory.
  • A new version has massive breaking changes! Look at release changes and newly added issues to that lib. Changes are that more have the same problem. Subscribe to any issue you can for updates. Timeframe work to ~30 min, if not done. Stash/branch and rollback changes. Create a work item to work on later on.

Helpers

  • npm-check package
  • Use .npmrc

Workflow

  • before work
  • create branch
  • update, patch, minor, major
  • build
  • test
  • start (manual test), rarely needed
  • Do actual work
  • Fix any upcoming issues
  • Done