npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Change default dependency settings?

I’m not going to link to third party blogs, but I’m sure everyone is familiar with incidents that happened with the purescript package, event-stream package, etc…

Isn’t the fix simple? Just remove the ‘^’ from default dependencies.

This way the damage is drastically reduced, since the only way a malicious package will be installed on a user’s project would be by their own will. And since malicious packages already barely survive for a week before developers figure out the issue, the damage will be almost non-existent.

This will also help force people understand more about versioning and set their custom rules instead. I really can’t see why this hasn’t been implemented yet.