You are probably using package.json for your dependencies and running
npm install on your production server. That’s a very convenient way to do it, STOP DOING IT NOW!
Here are a few things why you should reconsider your strategy:
You’re relying on npm to serve you the same version of code compatible with your development including all sub-dependencies, because this might not be happening if the dependencies versions are not locked down, read more about npm shrinkwrap.
You’re 100% sure that npm or the online repository will always be available to server the exact packages you want, well it’s not always true.
You’re using it despite of npm advice of not using it:
Use npm to manage dependencies in your dev environment, but not in your deployment scripts.
Your code is your responsibility!
Remember that your repository is the history of your development process, you should be able to roll-back to an older version if something goes wrong and everything should be working as before.
Minimize risk. Bad things can happen, but you better be prepared, you should not make yourself vulnerable to every little problem, try to solve them from the beginning and rise your defence.
Thanks for reading.
You can leave comments on hackernews.