Quite a few of the dependencies such as stylis are locked to a version instead of using the ^.
There are fixes in new patch versions I have been waiting for.
@rauchg @nkzawa @leo can we unpin dependences? Also because Greenkeeper has never worked for styled-jsx
maybe we can ship it without lockfiles
Unlocking dependencies leads to a very high risk of breaking - we've been experiencing this hundreds of times. Unlocked deps mean everyone can publish patches which can break our software (it's a mistake made by the npm team - the SemVer spec doesn't include these things).
We should update the dependency manually! 馃槉
Agreed but you could pin deps in your app if that's a concern
It is best practice not to publish package locks or pin dependencies. That is how the vast majority of packages on npm work. If every package had pinned dependencies there would be a lot of duplicate node_modules. Generally patches fix more issues than they create. If a package regularly releases broken patches, time to choose a more reliable dependency.
It is up to consumers to use a package-lock.json file for predictable testing and deployments.
Thats how sindresorhus manages all his packages: Lockfiles for apps, but not for packages. del has 500k installs a day: https://github.com/sindresorhus/del/blob/master/package.json#L47.
Most helpful comment
@rauchg @nkzawa @leo can we unpin dependences? Also because Greenkeeper has never worked for styled-jsx