I understand the goal of the shrinkwrap to be that all users have exactly all the same dependency versions for execution, and the developers have the same for dev/test.
Today the process [1] is for the shrinkwrap to exist in git only during the release process. While this covers the users for execution, it leaves out the developers for dev/test. Additionally, continuing in this way postpones discovery of shrinkwrap issues to the release period instead of catching it earlier. I suggest that: - The shrinkwrap exist in git at all times, not just during the release process. - At the beginning of a new dev/test cycle in a project that has a shrinkwrap, developers should not only "git pull", but should also "rm -r node_modules ; npm install". - Also at the beginning of a new dev cycle in a project that has a shrinkwrap, developers should run "npm outdated" to look for opportunities to freshen versions of dependencies for purposes of general hygiene. Whether or not to do the freshen in this case is up to the discretion of the developer. But at least look and see if something is crusty. - If there is a functional problem during dev/test that can be resolved by freshening the versions of dependencies, do it. - Only cordova-cli should have a shrinkwrap. The parent's shrinkwrap includes the whole tree of children (dependencies). [1]: https://github.com/apache/cordova-coho/blob/master/docs/tools-release-process.md Whaddya think? (Credit to Carlos for stopping by my office to share ideas)
