| ▲ | vel0city 3 days ago | |||||||
The package-lock.json includes a hash of the package, not just a version number which should be immutable. | ||||||||
| ▲ | whilenot-dev 3 days ago | parent [-] | |||||||
To add to this: the hash in the lock file is the checksum of the published tarball, not the commit hash. | ||||||||
| ||||||||