Suppose you have a NodeJS application.
A release could consists of multiple steps:
- Automated and/or manual tests
- Deployment
- (if something goes wrong) Rollback to the last stable version
There are some desirable requirements regarding the application's dependencies:
- When you have done your testing, you want to deploy exactly the version that you tested with, including all dependencies.
- The same goes for rollbacks: You want to restore not only your own code, but all external dependencies, too.
My question is about best practices to meet this goals.
What is the recommended way to create a snapshot of all dependencies of your NodeJS application?
Here are three options that I can think of:
-
In this article, the author recommends to put the
node_modulesdirectory under source control. (Not for all modules, but only for modules that will be deployed.) -
One alternative, which the same article describes as an anti-pattern, is to use explicit version locking. His argument seems reasonable: When you lock, for example, Express to a certain version, you still cannot control that one of its dependences hasn't introduced a subtile bug, later.
-
Just don't care and always use the most recent version of all external modules.
My thoughts so far (but I don't have much experience with NodeJS yet):
- 3) seems to be too reckless.
- I tend to 1), but I'm not sure where to put the
node_modules. When you just check it along with your normal code, I fear that workflows likenpm linkto your local modules will no longer work. Additionally, there is always the problem of annoying merge conflicts.
Best Answer
You can use npm shrinkwrap to implement option #2 and lock all of the child dependencies. From the doc: