I don't think this is realistic in the default npm ecosystem where projects can have 1000s of dependencies (with the majority being transitive with fuzzy versions).

Though pnpm does have a setting to help with this too: https://pnpm.io/settings#resolutionmode time-based, which effectively pins subdependencies based on the published time of the direct dependency.

Thousands of dependencies is exactly why you need to do this. It's fragile and dangerous to have thousands of possible changes in your software every time you `pnpm install`.

Thank you, I'll check it that setting!