Don’t auto install latest versions, pick a version up to a patch and use package-lock.json

That's only half the story, as I learned yesterday <https://news.ycombinator.com/item?id=45172213> since even with lock files one must change the verb given to npm/yarn to have them honor the lock file

So, regrettably, we're back to "train users" and all the pitfalls that entails

	▲	3np 5 days ago \| parent [-]
		More importantly, avoid yarn[0] if you have a choice. They do not have a security posture fitting for 2025. There's way too much assumptions like "helpful" "magic" guessing/inferring what the user "actually wants" to "make things just work". See also: corepack. [0]: legacy 1.x projects aside