Change default dependency settings?

I’m not going to link to third party blogs, but I’m sure everyone is familiar with incidents that happened with the purescript package, event-stream package, etc…

Isn’t the fix simple? Just remove the ‘^’ from default dependencies.

This way the damage is drastically reduced, since the only way a malicious package will be installed on a user’s project would be by their own will. And since malicious packages already barely survive for a week before developers figure out the issue, the damage will be almost non-existent.

This will also help force people understand more about versioning and set their custom rules instead. I really can’t see why this hasn’t been implemented yet.