Skip to content

[FR] Pin dependencies to explicit versions instead of "latest" #241

Description

@chirag127

Use case

Reproducible builds and supply-chain safety. package.json currently declares 13 runtime deps and 5 dev deps as "latest" (e.g. express, ws, chrome-launcher, esbuild, eslint). Any transitive breakage in an upstream release lands directly in the next npm i.

Proposal

Replace "latest" with specific ranges (e.g. "^4.19.0") and commit the resolved package-lock.json (already tracked at 143KB). Consider Dependabot for controlled upgrades.

Existing art

npm docs recommend against "latest" as a range specifier; leaves versions non-deterministic per-install.

Cite

package.json:29-46 (all 13 runtime deps + 5 devDeps set to "latest").

Not a bug

Works today; a hardening request.

Thanks for maintaining DO-SAY-GO/dn!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions