Not using semver ranges is forcing users to utilize versions of dependencies with known security vulnerabilities with no recourse. Standard practice is to specify a ^ in front of each dependency version, which will allow npm to download a version of the dependency which has the same major version, but may be a newer minor or patch version so that users can download fixes
Not using semver ranges is forcing users to utilize versions of dependencies with known security vulnerabilities with no recourse. Standard practice is to specify a
^in front of each dependency version, which will allow npm to download a version of the dependency which has the same major version, but may be a newer minor or patch version so that users can download fixes