NPM packages (theoretically) use SemVer.
In SemVer, packages get a version number of
Z indicates bug fixes.
Y indicates new features without changing existing ones.
X indicates a major version that breaks backwards-compatibility.
npm install --save <package> will result in a version string in your
^2.3.9, which means "anything in the
2.* range greater than or equal to
2.3.9". This'll mean you get bug fixes and non-breaking new features, but you won't unexpectedly be updated to a version 3.0.0 that breaks your application.
Note: I say "theoretically" because not everyone sticks to SemVer's ideal. You may find a
2.3.9 -> 2.3.10 upgrade that breaks stuff at times. Tests are handy here.