vweevers
commented
2 years ago This is an app-level concern, where npm lockfiles should be used to control the full tree. Modules should be looser, so that fixes of their dependencies roll in automatically - unless stopped by a lockfile.
In light of recent rc package hijack - would it be sensible to tighten up the package version semantics in package.json to more tightly restrict dependencies ?
see https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/