Should you write:
{
"dependencies": {
"better-auth": "^1.4.20"
}
}or
{
"dependencies": {
"better-auth": "1.4.20"
}
}in your package.json?
The specific version is pinned in package-lock.json, so it seems both ways achieve the same result: npm ci always installs the same version.
However, with the caret version range, the version in package-lock.json doesn’t need to match the version in package.json1. Concretely, if you use caret version ranges, tools such as Dependabot and npm audit fix will update package-lock.json but not package.json, so you won’t be able to see at a glance the exact versions installed.
So use exact versions.
Libraries
The above only applies to applications. For libraries, if every library author used exact versions, npm wouldn’t be able to dedupe transitive dependencies, and each project would end up with many instances of slightly different versions of the same library.
To be more precise, the version in package-lock.json must match the semver range in package.json, but not the exact version in the semver string (here 1.4.20). ↩︎