[TranquilMarmot]

Even with ^ you won't get an updated version until somebody runs an install and updates the lockfile.

We have things like dependebot for this.

https://docs.github.com/en/code-security/tutorials/secure-yo...