the correct way to upgrade a package

I 'accidentally' upgraded my firefox by 'pkg install forefox' earlier today .... and now when I tried to launch firefox, it said
XPCOMGlueLoad error for file /usr/local/lib/firefox/
/usr/local/lib/nss/ version NSS_3.23 required by /usr/local/lib/firefox/ not found
Couldn't load XPCOM.
I tried pkg remove firefox, pkg clean, and pkg install firefox. No use.
I tried to find out how to use pkg to install NSS version 3.23 forcefully, but it seemed not possible.

My question is that shouldn't pkg check the dependency of an upgrade? I noticed dozens of packages were upgraded together in the process earlier. pkg would also check if these upgrades would break any existing installed package.... right?
I thought this is how pkg works? please let me know if it is not the case...
besides restoring from my backup images, how would a more experienced user fix this problem? thanks
Did you try to build firefox from ports using latest updates? Packages are not always up-to-date and sometimes can cause problems with builds from ports due to different dependencies.

Try removing all firefox dependencies as well by listing all the dependencies using make build-depends-list in /usr/ports/www/firefox.

Also, can try pkg info -d firefox to list all dependencies.
Probably better to build your own packages using ports-mgmt/synth or ports-mgmt/poudriere. I usually have less problems this way since I know what's being build with custom options. Synth is easier to use for a single computer. Poudriere is better with several computers or servers. One thing I noticed is that some ports depends on libressl or openssl and some ports depends on python27 or python34. Both cannot co-exist and can break things so I build my own packages using libressl and python34 as default and I remove other options such as CUPS, DOCS, EXAMPLES so I don't have extra libraries or dependencies to deal with. If you have experiences building ports then this shouldn't be problem for you.
+1 for setting up your own repository. I rarely have issues with updates and when I do I can catch them long before I touch any of my running systems.
One nice thing about synth or poudriere is that you build your own packages with custom options. So if something breaks which cannot be fixed or many orphaned dependencies. I simply just delete all packages and reinstall everything. It's very quick, clean and can get everything up running again quickly. The config files will still remain on the computer after you delete all packages. That's one advantage of knowing my packages are custom-tailored and ready to install on a quick notice. I usually do this once or twice a year to clean things up to get rid of orphaned dependencies. pkg autoremove doesn't always work and sometimes it can break something like missing dependencies so its better to delete everything and reinstall.
My question is that shouldn't pkg check the dependency of an upgrade?

We read /usr/ports/UPDATING and run pkg upgrade on a regular basis.

Just to clarify this a bit: do not upgrade individual packages. Upgrade every package at once, or nothing at all. You've run into the problem inherent in upgrading one package: the versions of dependencies you have installed for that package are out-of-date. You could of course upgrade those dependencies individually, until you get Firefox working. But then every package you have installed that depends on the older versions of those dependencies will be broken. As a side note, and for the same reason, if you are following the "latest" repository, run pkg update && pkg upgrade before installing new packages.
pkg update is not needed since pkg upgrade does the update before upgrading.

There are some rare cases when you must run # pkg update -f to get the repository metadata properly in sync with what's on the repository server.pkg(8) is a bit fussy about this sometimes and produces some weird dependencies that make no sense, running # pkg update -f fixes this.