If the lockfile is missing (fresh clone, CI misconfig) or you rely on automated updates like Renovate or Dependabot, semver ranges allow unreviewed code to enter your dependency graph. A compromised minor or patch release becomes eligible and can be pulled in automatically.
After last year’s wave of npm supply-chain attacks, we audited all our projects and locked dependencies down. Every upgrade is now an explicit, manual decision.
500 Internal Server Error