In package.json, those symbols (~, ^, *) are version range specifiers for npm/yarn/pnpm, and they control how dependency updates are allowed when you run install or update.
Here’s the breakdown:
^ (caret) – Allow non-breaking updates
-
Means “install the latest minor/patch version, but don’t bump the major version.”
-
Example:
"lodash": "^4.17.21"
→ Can install anything from
4.17.21up to<5.0.0. -
Good default for most libraries following semver.
~ (tilde) – Allow patch updates only
-
Means “stick to this minor version, but allow patches.”
-
Example:
"lodash": "~4.17.21"
→ Can install
4.17.22,4.17.23, etc., but not4.18.0. -
Use when you want more stability, but still get bug fixes.
* (wildcard) – Allow any version
-
Means “any version is fine.”
-
Example:
"lodash": "*"
→ Will install the latest available version, even major bumps.
-
Very risky — rarely used outside internal tools or prototyping.
Other related patterns
-
Exact version:
"lodash": "4.17.21"
→ Only ever installs that exact version.
-
Ranges:
"lodash": ">=4.17.0 <5.0.0"
→ Explicit range control.
-
X ranges:
"lodash": "4.17.x"
→ Any patch in 4.17.
-
Latest:
"lodash": "latest"
→ Always grabs newest published version.
Rule of thumb:
- Use
^for libraries where minor updates are safe. - Use
~for more stability-sensitive code. - Avoid
*in production unless you love surprise breakages.