loading...

re: How to deal with the event-stream vulnerability VIEW POST

FULL DISCUSSION
 

I think the real issue with npm might be that dependencies are typically not locked to a specific tested and trusted full version number right in package.json. We always default to a lax definition of "give me the latest patch or minor release" using ^. That requires that we can trust all sources. Which is obviously not the case.
Maybe npm and yarn should stop prefixing version numbers with the caret symbol when we add new dependencies to a project.

Code of Conduct Report abuse