Stop using `^` in `package.json` if you care about supply-chain safety.

If the lockfile is missing (fresh clone, CI misconfig) or you rely on automated updates like Renovate or Dependabot, semver ranges allow unreviewed code to enter your dependency graph. A compromised minor or patch release becomes eligible and can be pulled in automatically.

After last year’s wave of npm supply-chain attacks, we audited all our projects and locked dependencies down. Every upgrade is now an explicit, manual decision.