npm install should only install exact packages unless explicitly told not to via a flag e.g.
- Would make CI builds repeatable by default
- Would make it impossible to accidentally, silently upgrade to a compromised package e.g. https://github.com/npm/npm/issues/21202
I would also like to reply to what was said here: https://github.com/npm/npm/issues/21206#issuecomment-404577187 since that issue has now been locked.
package-lock.json is not going to fix this problem. Many times, I’ve had to blow away a lockfile and recreate it because of merge conflicts (I use yarn but I imagine it’s the same). Also, it does not address the scenario where someone starts a brand new project during the window when a compromised package exists on a registry.