Use case
Reproducible builds and supply-chain safety. package.json currently declares 13 runtime deps and 5 dev deps as "latest" (e.g. express, ws, chrome-launcher, esbuild, eslint). Any transitive breakage in an upstream release lands directly in the next npm i.
Proposal
Replace "latest" with specific ranges (e.g. "^4.19.0") and commit the resolved package-lock.json (already tracked at 143KB). Consider Dependabot for controlled upgrades.
Existing art
npm docs recommend against "latest" as a range specifier; leaves versions non-deterministic per-install.
Cite
package.json:29-46 (all 13 runtime deps + 5 devDeps set to "latest").
Not a bug
Works today; a hardening request.
Thanks for maintaining DO-SAY-GO/dn!
Use case
Reproducible builds and supply-chain safety.
package.jsoncurrently declares 13 runtime deps and 5 dev deps as"latest"(e.g.express,ws,chrome-launcher,esbuild,eslint). Any transitive breakage in an upstream release lands directly in the nextnpm i.Proposal
Replace
"latest"with specific ranges (e.g."^4.19.0") and commit the resolvedpackage-lock.json(already tracked at 143KB). Consider Dependabot for controlled upgrades.Existing art
npm docs recommend against
"latest"as a range specifier; leaves versions non-deterministic per-install.Cite
package.json:29-46(all 13 runtime deps + 5 devDeps set to"latest").Not a bug
Works today; a hardening request.
Thanks for maintaining DO-SAY-GO/dn!