In this post, we cover our experience with our recent migration from npm to pnpm at Coana.

Are you confused about open source licenses and how to work with them? In this post, we cover the basics of open source licenses and provide some actionable tips on how to manage licenses in your software projects.

Phantom dependencies are dependencies you use without explicitly including them in your package.json. In this post we examine why they are bad and what you can do to avoid them.

In this post, I introduce the Coana Package Manager. A new VS Code extension to help with npm dependency management.

In this post, we examine how to work with semantic versioning in practice. We consider topics such as package version constraints, lock files and vulnerability disclosure bots.

In this post, we provide a quick introduction to the principles of semantic versioning and help you understand how to use it in practice as an npm application developer.

One valid argument for keeping your dependencies on the latest major is to also get fixes for security vulnerabilities that aren't backported to older majors. But how frequent are backports actually? Can we always assume that security fixes are released for old majors? In this post we answer those questions by conducting a study on more than 10,000 security advisories for the GitHub advisory database.

The npm command line interface provides a whole suite of rarely used commands that you can use to boost your productivity. In this post, we examine some of the most useful but least well-known commands.

If you are unsure about how to use the package-lock.json (or yarn.lock) file in your project, you're not alone. This file is essential for ensuring that your project's dependencies are restored to the same versions on any machine where you run 'npm install' or 'yarn'.

Picking low quality packages can be detrimental to a npm project. If a package is not well maintained, it may stop working or no longer effectively solve your problems, leaving you with the technical burden of replacing the package. But how do you evaluate the quality of an npm package?