[Bolkan]

And it doesn't address the semver malware injection bug demonstrated by colors author. Funny isn't it, any one of the thousands of npm package authors can inject a malware into our computers and nobody gives a shit.

https://snyk.io/blog/open-source-npm-packages-colors-faker/

[Supermancho]

> And it doesn't address the semver malware injection bug demonstrated by colors author

[Not a fan of Bun] In Bun, you can pin versions with package.json just like in node.js

What would address the malware injection when someone chooses to auto-update packages as part of a build?

[Bolkan]

You can only pin your direct deps.

[leodriesch]

A lockfile is a way to lock your indirect dependencies. If you only install based on the lockfile every dependency is pinned.

[Bolkan]

You cannot audit and pin all your transitive dependencies. The amount of churn tge lockfile goes through is insane.

[WorldMaker]

Dependabot watches all the transitive dependencies in your lock files. For better and worse. For worse in that it's not a great developer experience to get a PR on a low level transitive dependencies, which is also one of the largest complaints about Dependabot that it often feels too low level and not working at the dependency level you are working at. But Dependabot (and npm audit) still exist to audit all your low level transitive dependencies in your lock files.