Yes, you should use npm shrinkwrap. It baffles me that automatically update your dependencies is considering the right thing to do.
Practically that means that you can push a semicolon fix, your CI server will fetch a different (newer) version of a dependency and break something completely unrelated.
Secondly, it's not deterministic and will generate huge diffs every time you run it even if nothing changes.
Uber has a tool called npm-shrinkwrap that in theory is supposed to solve the latter, but I've never gotten it working on my current projects: https://github.com/uber/npm-shrinkwrap
> It baffles me that automatically update your dependencies is considering the right thing to do.
The idea is to rely on semver. If you do ~1.3.4 in your dependency then if that dependency follows semver properly, you'll get 1.3.5 if it's out, and your stuff will still work, but you're getting bug fixes and patches without having to keep an eye on the sometimes hundreds of dependencies. Luckily tools like greenkeeper.io are around now.
The drawback is many people don't follow semver, so I opt to appending --save-exact to all npm installs (actually have npm config set save-exact true)
Exactly. In ideal world, semver would solve this issue really easily (probably not completely but to a large extent). However, there are so many dependencies in a typical nodejs project that I have hard time trusting that devs will follow semvar :)
Practically that means that you can push a semicolon fix, your CI server will fetch a different (newer) version of a dependency and break something completely unrelated.