×
Difference between tilde (~) and caret (^) in package.json, Semantic Versioning of npm packages and npm audit for vulnerability fixes


Difference between tilde (~) and caret (^) in package.json, Semantic Versioning of npm packages and npm audit for vulnerability fixes

November 27, 2019

In the package.json files of  Node.js applications, the dependencies are added specifying their version. Sometimes these version numbers can be preceded by tilde (~) and caret (^) characters. What do they actually intent and what is the difference between them?

 

 

Semantic Versioning of npm packages

Consider a version of a package like 1.2.3               

It is of the form MAJOR.MINOR.PATCH

MAJOR in version is updated when major change, which can affect compatibility is made and the new one might not have backward compatibility.

MINOR in version is updated when a minor change is made in a backward-compatible manner.

PATCH in version is updated when backward compatible bug fixes are made.

Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.

Caret will install packages with version updated until just before the next major and tilde will install packages with version updated until just before next minor. We will see this in detail below

 

caret (^) character in the version 

caret (^) character in version number means that the package version installed will be updated up to the latest minor and its patch, of the major. For example, sequelize package is installed with version ^ 1.0.1. npm install will install version, updated up to the latest minor and its patch for the same major version( the major version here is 1 ).

See the early versions of sequelize module below. We consider version 1.0.1 just as an example.

Thus the version with the latest minor and its patch,  for major 1 is 1.7.11. Navigate to sequelize folder in node_modules and check the package.json file. You will see version as 1.7.11  which means that the package version installed is updated up to the latest minor and its patch for the same major 1 as below.

 

 

tilde (~) character in the version.

tilde (~) character in version number means that the package version installed will be updated up to the latest patch of the minor and its major. For example, sequelize module is installed with version ~1.0.1.

Package.json file with tilt

Navigate to sequelize folder in node_modules. You will see version as 1.0.2 as 1.0.2 is the latest patched version with major 1 and minor 0.

The reason why caret is used in most cases is that everything up until minor and its patch versions are backward compatible.

 

npm audit

npm audit will scan your project for vulnerable packages and npm audit fix will update the vulnerable packages if any updates with fixes are available. Modules like loadash,  seriate, etc are found to have vulnerabilities and are fixed in later versions.

For example, we do an npm init, create a package.json file add a single dependency with seriate 0.4.1. Run npm install to install the dependencies. On running npm audit,

found 24 vulnerabilities (9 low, 1 moderate, 14 high) in 56 scanned packages 24 vulnerabilities require major dependency updates.

To fix these vulnerabilities, we run npm audit fix as we can see 234 vulnerabilities are found in a dependency package. These are major updations as the seriate version we have used is very old one and we have to force the fix with npm audit fix –force. If the changes were minimal then npm audit fix could have done the job. As you can see here, the module is updated to 3.0.0 which is the latest safe and stable version.

 

Please share your thoughts, suggestions or corrections in the comment box below

No Comments

Leave a Reply

Your email address will not be published. Required fields are marked *