We have a legacy app and it's been using Angular 2.4 since the beginning. Currently package.json is having overrides for many packgages and for our build, we are using npm install --force because of multiple conflicting peer dependency, cannot resolve dependency of some packages, etc. I can foresee that we would keep using override for other dependency update and expanding the package.json.

I'd like to understand:

1. the risks if we don't upgrade Angular version and keep using Angular 2.4?
2. Is it okay to use npm install --force in build/release pipeline in production?

CodePudding user response：

Short answer is no

Older versions of packages "decay" over time.

• Sometimes because a version of a package had dependencies which are no longer maintained
• or (the worse) because their n-th level dependency is no longer maintained.
• once a version is out of the LTS terms (or deprecated like angular v2 and older are) you also start to loose its documentation.

Then there is the unknowns of having your locked version of a package having to run with newer versions of its dependencies. And you would having to provide some of the fixes yourself.

There are plenty of security issues that the 100's of dependencies a package like angular has and can only be addressed by upgrading.

Your app might still work with forcing dependencies to update. But it would certainly be exposed to a fair bit of know issues which newer versions have already addressed.