Created by: hermanbanken
Fixating the package dependencies is harmful both to the ecosystem and in the ecosystem of NPM where vulnerabilities are plentiful and widespread. By pinning this library requires manual intervention & publication even while the vulnerable dependencies themselves are patched. It is really in the word: patched
indicates that you most often want these changes and that you don't want to skip having them. If you really need to fixate your dependencies then you simply rely on npm ci
to install, and you get the same version very single time.
If every library had only patch versions everyone will be happy!
This fixes many current and future security related PRs and issues like https://github.com/facebook/create-react-app/issues/7364.