npm: dependency management done defensively

When you build something for the web, you don't build every single piece from scratch. Need a date picker? Someone already made a great one. Need to format dates nicely? There's a package for that. npm is the system that lets you pull in these ready-made pieces (called packages or dependencies) and use them in your project. Think of it like a massive library where you can borrow building blocks other developers have already tested and refined.

Borrowing other people's work saves enormous amounts of time. But here's the catch: those borrowed pieces get updated, and sometimes an update changes how something works in a way that breaks your project. The defensive approach is to lock down exactly which versions you're using, update one piece at a time instead of everything at once, and always check that things still work after an update. It's the difference between a project that hums along for years and one that mysteriously breaks because something you didn't even touch got upgraded behind the scenes.

When you add a new package, test your project right away to make sure nothing broke. Always save your lockfile — that's the receipt that records the exact versions of everything you borrowed. When it's time to update, update one package at a time, not all of them in a batch. And after every update, actually look at your project. Some problems only show up when you're clicking around, not during the build process.

Whenever you catch yourself about to build something from scratch that feels like a common problem — calendar widgets, animation helpers, form validation — check if there's a well-maintained package first. But be selective. Every package you add is a dependency you'll need to maintain. If you only need one small feature from a huge package, sometimes it's better to write it yourself.