How do we decide tool versions?

[mattgallagher92]

In commit 50a9aa1c4e2fe235dec6b76fa94f6fa02dd61c91 (30 Mar 2021), the npm lockfileVersion was updated to 2. The package-lock.json docs suggest this implies use of npm version 7+. At the time of the commit, the version of npm distributed with the LTS version of node ("recommended for most users") was 6.14.11, hence this is what I was using. This meant that when I used npm for new SAFE apps, I was getting lots of diff noise in package-lock.json. I then had to choose between updating node to a version not recommended for most users, or committing a noisy diff.

Although it didn't on 26 Oct, the LTS version of node now comes with npm v8, so this is no longer a problem. There are a few questions that it raises though:

• Why did we decide to go with npm v7 rather than npm v6? To be clear, I'm not suggesting that the decision was wrong.
• More generally, how do we decide which versions of tools the SAFE template should rely on?

[mattgallagher92]

Discussed with Maxime and Tomasz:

• We can specify the required versions of npm and node using the "engines" field in package.json, and enforce them in .npmrc. See Nacara for an example.