I think the real issue with npm might be that dependencies are typically not locked to a specific tested and trusted full version number right in package.json. We always default to a lax definition of "give me the latest patch or minor release" using ^. That requires that we can trust all sources. Which is obviously not the case.
Maybe npm and yarn should stop prefixing version numbers with the caret symbol when we add new dependencies to a project.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I think the real issue with npm might be that dependencies are typically not locked to a specific tested and trusted full version number right in
package.json
. We always default to a lax definition of "give me the latest patch or minor release" using^
. That requires that we can trust all sources. Which is obviously not the case.Maybe npm and yarn should stop prefixing version numbers with the caret symbol when we add new dependencies to a project.