DL3016

Pin versions in `npm`.

Problematic code:

FROM node:8.9.1

RUN npm install express
RUN npm install @myorg/privatepackage
RUN npm install express sax@0.1.1
RUN npm install --global express
RUN npm install git+ssh://git@github.com:npm/npm.git
RUN npm install git+http://isaacs@github.com/npm/npm
RUN npm install git+https://isaacs@github.com/npm/npm.git
RUN npm install git://github.com/npm/npm.git

Correct code:

FROM node:8.9.1

RUN npm install express@4.1.1
RUN npm install @myorg/privatepackage@">=0.1.0"
RUN npm install express@"4.1.1" sax@0.1.1
RUN npm install --global express@"4.1.1"
RUN npm install git+ssh://git@github.com:npm/npm.git#v1.0.27
RUN npm install git+http://isaacs@github.com/npm/npm#semver:^5.0
RUN npm install git+https://isaacs@github.com/npm/npm.git#v1.0.27
RUN npm install git://github.com/npm/npm.git#v1.0.27

Rationale:

https://docs.docker.com/develop/develop-images/instructions/#apt-get

Version pinning forces the build to retrieve a particular version regardless of what’s in the cache. This technique can also reduce failures due to unanticipated changes in required packages.

Exceptions:

Pin your versions in package.json and run npm install with no arguments.

DL3016

Pin versions in npm.

Problematic code:

Correct code:

Rationale:

Exceptions:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally

Pin versions in `npm`.