Pin specific version in npm DOK-DL3016
Bug risk
Major
Version pinning forces the build to retrieve a particular version regardless of what’s in the cache. This technique can also reduce failures due to unanticipated changes in required packages. Read more about version pinning here.
Bad Practice
FROM node:8.9.1
RUN npm install express
RUN npm install @myorg/privatepackage
Recommended
FROM node:8.9.1
RUN npm install [email protected]
RUN npm install @myorg/privatepackage@">=0.1.0"
Exceptions
Node dependencies can be declared and pinned from within package.json so they don't need to be explicitly stated in the command line. If you have already specified dependencies this way, you only need to run npm install to use the specified versions of those dependencies.