Then you can’t upgrade anything unless create-react-app releases a new version (or you eject), which, in addition to the obvious release cadence problem, might introduce other compatibility problems.
It's not like pinning means you can /never/ update. You just get to do it on your own schedule.
You can even automate updating to some degree -- running your tests against the latest everything and then locking in to those versions of all goes well.
Again, this only works for project skeletons, and not for any other package that happened to have a transient dependency on `is-promise` (which is a lot more than project skeletons).
Maybe I'm misunderstanding how those projects work. From what I recall, they generate a project, including the package.json. So I'm not sure why they couldn't just generate the package.json with pinned versions?
I don't write much JS, and have only used create-react-app just a few times, so feel free to explain why this isn't possible.
package.json only lists top-level dependencies. package-lock.json tracks all dependencies, and dependencies of dependencies. is-promise is one of those dependencies of a dependency, which you don't have much control over.
How could a dependency-of-dependency change version if one of the direct dependencies doesn't change version? I guess, if the direct dependency isn't pinning that version? Another case of, everyone should be pinning dependencies.
Exactly, node's conventions are to allow a range of versions (semver compatible). True, if all dependencies were pinned, this wouldn't come up as often.
That also means that there would be a lot more updating when security issues are found.
Works for existing apps, but people using create-react-app and angular CLI can't even start a new project.