Description
We should start pinning all our dependencies more aggressively, given the recent supply chain attacks and other problems arising from bumping dependencies. Some things to consider
- latest/next/canary tests need to be excempt from pinning
- we keep some dependency versions
^-declared on purpose so that users can potentially install more recent (minor/patch) versions of the package and deduplicate the installed version. This concerns our bundler plugins mostly. A couple of OTel packages have the same strategy. We should re-evaluate if this makes sense on a package-by-package level.
Description
We should start pinning all our dependencies more aggressively, given the recent supply chain attacks and other problems arising from bumping dependencies. Some things to consider
^-declared on purpose so that users can potentially install more recent (minor/patch) versions of the package and deduplicate the installed version. This concerns our bundler plugins mostly. A couple of OTel packages have the same strategy. We should re-evaluate if this makes sense on a package-by-package level.