Dependency version requirements are too strict

[fjeldstad]

Since updates - including security patches - to this library are infrequent, could you please consider relaxing the dependency version requirements to allow for consuming applications to install minor and patch version updates? So instead of "lodash": "x.y.z" you would specify "lodash": "^x.y.z" for example - that way users stuck on this old library can still patch vulnerabilities and you would have fewer issues reported about it.

[dragonmantank]

Hello,
This gets into a weird spot, especially with Node. Due to supply chain attacks being more and more frequent, it has led us to more stictly define what our dependencies are. What I will do is make sure we are being more proactive about updating them (and will put it on my list to do for this week).

[fjeldstad]

Hello, This gets into a weird spot, especially with Node. Due to supply chain attacks being more and more frequent, it has led us to more stictly define what our dependencies are. What I will do is make sure we are being more proactive about updating them (and will put it on my list to do for this week).

I understand. It is indeed weird/tricky since pinned exact versions prevent consumers from applying patches - it works as long as the library is published often enough, or vulnerabilities will stay unaddressed. One could argue that pinning exact versions moves more of the responsibility to the library maintainers 😬 - but of course entirely up to you.

Would be super if you could prioritise publishing a new version with all known vulnerabilities patched 👍