DEV Community

Discussion on: How to deal with the event-stream vulnerability

tiguchi profile image
Thomas Iguchi • Edited on

I think the real issue with npm might be that dependencies are typically not locked to a specific tested and trusted full version number right in package.json. We always default to a lax definition of "give me the latest patch or minor release" using ^. That requires that we can trust all sources. Which is obviously not the case.
Maybe npm and yarn should stop prefixing version numbers with the caret symbol when we add new dependencies to a project.