Dependency prefixes are a supply chain risk: let's fix them

Dependency prefixes in package management tools like npm, pnpm, and Yarn can ease updates but also widen the security risk by allowing compromised packages into production. These prefixes, such as ^, ~, and *, determine which code versions package managers can fetch, often without direct user control, leading to potential vulnerabilities when a package or its maintainer is compromised. To mitigate these risks, it's crucial to treat version ranges as a policy control and use lockfiles to ensure consistent, repeatable installations. For sensitive packages, pinning exact versions shifts update responsibility to developers, reducing the risk of malicious updates. It's also advisable to disable install scripts when possible to prevent unwanted code execution. Auditing the actual dependency tree and using tools like Sourcegraph Batch Changes can help manage policy implementation across multiple repositories, making version control more visible and manageable. While dependency ranges can be useful, they should be applied with deliberate consideration to maintain security.