[Aqueous]

Doesn't just stopping using version ranges also help with this? I've never understood why people would allow a package manager to update a piece of their code for them automatically. Using specifiers like ^1.5.3, allowing package manager to go all the way up to version 1.999 automagically is just asking for trouble.

Find a set of versions that is self-compatible and works, and pin all your versions to those specific versions, with a hash if possible. Upgrade on your schedule, not someone else's. Thoughts?

[an_d_rew]

In theory, sure!

In practice, it will stay pinned for years until a CVE forces a patch upgrade that ends up triggering a dependency avalanche and weeks or months of headaches.

[IanCal]

This is usually managed with lock files.

Package spec puts down what it should work with, you pin a specific version in that range for your app that you've tested.

Otherwise updating things will never happen. Unless you have full separation between upstream dependencies (so you can have multiple versions at the same time) - and that brings huge questions - a single dep 3 steps away can stop you upgrading.

Ranges also communicate "this doesn't work with later than X" as well.