I'll admit I don't know that much about npm and dependency management (so take what I say with a grain of salt), but should packages like create-react-app be more wary of accepting minor version bumps of dependencies? In this case is-promise went from v2.1 to 2.2 and then caused this issue, should create-react-app (or whatever dependency it relied on that in turn relied on is-promise) have not automatically accepted this version bump?
I know it's not directly create-react-app's fault, but I wonder what we can do about it from the perspective of the packages that use these dependencies. What's stopping someone from putting dodgy code in their widely-used package and doing a minor version bump?
I think we should be explicit about the version that we depend upon and change the dependency version only when we are sure that we want to upgrade and that our code does not break. I know this means more work to do and keep track of, but maybe it is the price we have to pay for stability, and especially in case of popular packages like create-react-app.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I'll admit I don't know that much about npm and dependency management (so take what I say with a grain of salt), but should packages like
create-react-app
be more wary of accepting minor version bumps of dependencies? In this caseis-promise
went from v2.1 to 2.2 and then caused this issue, shouldcreate-react-app
(or whatever dependency it relied on that in turn relied onis-promise
) have not automatically accepted this version bump?I know it's not directly
create-react-app
's fault, but I wonder what we can do about it from the perspective of the packages that use these dependencies. What's stopping someone from putting dodgy code in their widely-used package and doing a minor version bump?I think we should be explicit about the version that we depend upon and change the dependency version only when we are sure that we want to upgrade and that our code does not break. I know this means more work to do and keep track of, but maybe it is the price we have to pay for stability, and especially in case of popular packages like
create-react-app
.