DEV Community

Discussion on: Any thoughts on create-react-app breaking due to one line npm package

emma profile image
Emma Goto 🍙

I'll admit I don't know that much about npm and dependency management (so take what I say with a grain of salt), but should packages like create-react-app be more wary of accepting minor version bumps of dependencies? In this case is-promise went from v2.1 to 2.2 and then caused this issue, should create-react-app (or whatever dependency it relied on that in turn relied on is-promise) have not automatically accepted this version bump?

I know it's not directly create-react-app's fault, but I wonder what we can do about it from the perspective of the packages that use these dependencies. What's stopping someone from putting dodgy code in their widely-used package and doing a minor version bump?

rehmatfalcon profile image
Kushal Niroula Author

I think we should be explicit about the version that we depend upon and change the dependency version only when we are sure that we want to upgrade and that our code does not break. I know this means more work to do and keep track of, but maybe it is the price we have to pay for stability, and especially in case of popular packages like create-react-app.