I’m not going to link to third party blogs, but I’m sure everyone is familiar with incidents that happened with the purescript package, event-stream package, etc…
Isn’t the fix simple? Just remove the ‘^’ from default dependencies.
This way the damage is drastically reduced, since the only way a malicious package will be installed on a user’s project would be by their own will. And since malicious packages already barely survive for a week before developers figure out the issue, the damage will be almost non-existent.
This will also help force people understand more about versioning and set their custom rules instead. I really can’t see why this hasn’t been implemented yet.