How is reproducable build guaranteed with version ranges in NPM

I know with npm, caret and tilder and some logical operators can be used to specify version ranges. This post explains a bit on how this works.

The problem now is I find it hard to rectify the use of version ranges with the idea of having reproducible builds.

I mean version ranges for dependencies means that you are not specifying a requirement for a particular version but a range of version, which might change between builds (ie a patch release of a dependency was released between the last and current build).

Reproducible build seeks to remove variability in environment ensuring that every repeated build would always be the same.

From where I stand, these two ideas are in conflict with each other, hence my question here: perhaps someone can help me understand how it is ever possible to have reproducible builds with version ranges when using npm

Go to Source
Author: Finlay Weber

Does `npm audit` add any value when using `dependabot`

Context

There are multiple ways to scan projects for vulnerabilities.

Dependabot can be configured to check repositories for issues, and automatically submits pull requests to resolve.

NPM Audit will scan the packages used in an NPM solution for known vulnerabilities.

We’re trying to work out whether, if Dependabot is enabled, there’s any added value to using NPM Audit in our pipelines. I’m asking this solely from the perspective of what’s detected; not how the tools work (i.e. whether they can cause a pipeline to block/fail).

The actual question

Do both tools base their decisions on some common known-issue database, or is it common to see each tool detect different sets of problems?

Go to Source
Author: JohnLBevan