Exact Version Pinning (=) — When and Why
Pin a dependency to an exact version with =1.2.3 or just 1.2.3. Understand the trade-offs between reproducibility and missing security patches.
Comparison Operators
Detailed Explanation
Exact Version Pinning
Exact version pinning means accepting only one specific version of a dependency, no ranges, no flexibility.
Syntax
Both of these are equivalent:
=1.2.3
1.2.3
Without any operator prefix, a bare version number means "exactly this version."
When to Pin Exact Versions
Good reasons to pin:
- A specific version has been audited for security
- The dependency does not follow SemVer (breaks on minor/patch updates)
- You need bit-for-bit reproducible builds without a lock file
- The library is a compiler or code generator where output changes matter
Situations to avoid pinning:
- You miss automatic security patches
- Dependency resolution conflicts increase (diamond dependency problem)
- You create more maintenance burden (manual updates required)
Pinning vs Lock Files
| Approach | package.json | Lock File | Update Behavior |
|---|---|---|---|
^1.2.3 |
Range | Pins exact | npm update moves within range |
=1.2.3 |
Exact | Same exact | npm update does nothing |
^1.2.3 + no lock |
Range | None | Always gets latest in range |
Recommendation
For most projects, use caret ranges with a lock file:
package-lock.json(npm) oryarn.lock(Yarn) pins the exact resolved versionnpm updateoryarn upgrademoves within the caret range- You get the best of both worlds: reproducibility AND easy updates
Exact pinning should be reserved for exceptional cases where even patch updates are risky.
Use Case
Locking a dependency to a specific audited version in a security-sensitive application, or managing a dependency that does not follow SemVer conventions.