The downside of this approach is that this is how you create an ecosystem where legitimate security fixes never end up getting applied. There's no free lunch, you need to decide whether you're more concerned about vulnerabilities intentional backdoors (and thus never update anything automatically) or vulnerabilities from ordinary unintentional bugs (and thus have a mechanism for getting security updates automatically).

Yep. I'm calling it. The churn is more dangerous and fragile than the rot.

Two alternatives:

- The occasional alert from `npm audit` that you have to carefully, deliberately, and thoughtfully upgrade your way out of.

- The shifting sands of 100s or 1000s of towering deps that change literally every time you `pnmp install`.

The second one is the current situation and it is madness.

There should be no package lock because package.json should be the package lock.