The dependencies in SPFx solutions are recorded in package.json in following ways:
Caret dependency
Any version up to (but not including) is accepted
Example - ^2.3.1 means greater than or equal to 2.3.1 but less than 3.0.0
Tilde dependency
It is similar to Caret dependency, but the range is narrower
Lock Down the Package version
When a package is added to SPFx solution using
“npm install” command, the package is downloaded and installed to the solution. It can be found under “node_modules” folder and entry of it is recorded in package.json file. Adding --save flag to
“npm install” command ensure that the dependency is recorded to package.json. This means, whenever any developer runs
“npm install” or “
npm update” on the SPFx solution, NPM will download a package of appropriate version. It is always recommended to specify --save or --save-exact while running
“npm install” command to record and track the dependencies.
Failing to specify --save flag will not record the entry in package.json and can cause code to fail because of missing packages. TypeScript compiler might throw an error “Cannot find module”.
“node_modules” folder contains the tree of dependencies for packages. The first level dependencies are stored in child “node_modules” folders. Because of this reason, “node_modules” folder can grow bigger in size and deep in the hierarchy.
“--save-exact” will avoid caret or tilde dependencies only at first level, which makes difficult to get the exact build unless we check-in entire “node_modules” folder to source control (which is not recommended and feasible solution).
Freeze the entire tree of dependencies
“npm shrinkwrap” command will help you to freeze the entire tree of dependencies. It creates a JSON file called “npm-shrinkwrap.json” which records the exact version of each package used in the solution. It is important in the production environment that the same versions of packages get installed as those used during development.