sindresorhus
commented
9 years ago That's how semver and npm works. I'd recommend you spend some time learning it.
It's up to you to prevent possible breakage by either committing your dependencies, npm shrinkwrap, or other things.
Not the place to discuss this though.
I've just ran in to an issue where our build server pulled down v1.0.0 of grunt-sass, but its child dependencies had been upgraded from the v1.0.0 that I had on my local machine.
The version of LibSass on my local grunt-sass v1.0.0 was v3.2.2, but the server had 3.2.5. Unfortunately, this broke our build because of what seems like a new bug introduced to LibSass https://github.com/sass/libsass/issues/1277.
So, my question is, how can v1.0.0 of grunt-sass pull down different versions, and shouldn't it have been upgraded to v1.0.x? Otherwise, our build process can break at any time in the future without warning.