[rewma]

> Every time you commit, package-lock.json is different. And when it is not, then I have 26 new vulnerabilities to be fixed by “npm audit fix”. I have zero trust in my build being reproducible, or even working one year forward.

In some of the nodejs projects I've worked, we had allu dependencies with pinned version numbers, and each week we created a ticket to track work on upgrading them. This typically involved a single commit updating package versions and running all tests. More often than not it took no work at all.

If a project just lets their dependencies change randomly and does not invest any work updating them, of course there's bound to be pain and suffering.