[hmokiguess]

At my former job we had a private registry that was a mirror of npm’s with an approval gate for packages devs would request and it would always pin versions

I took that for granted back then and just assumed it was standard enterprise policy

[jamesfinlayson]

Multiple previous jobs had this too (local Packagist is thing, Artifactory is another) but my current job got rid of theirs. Seemed a little short-sighted given the risks but I don't make the decisions.