Would it be better for package managers to default to staying at a fixed version? I know npm defaults to semver upgrades. You say
npm install foo@3.1.7
And it, by default, inserts "foo@^3.1.7" which means "anything 3.1.7 or higher but not "4.x.x".
In other words, the next time someone installs the dependencies it could be 3.1.8, 3.9.7, 3.1234.999 etc...
But maybe it should default to just the actual version and all upgrades should be required to be manual. Checking my HD I see I have lots of references to "rc@^1.1.6", "rc@^1.2.8" etc, all of which would install 1.2.9 if reinstall the deps
In other words, the next time someone installs the dependencies it could be 3.1.8, 3.9.7, 3.1234.999 etc...
But maybe it should default to just the actual version and all upgrades should be required to be manual. Checking my HD I see I have lots of references to "rc@^1.1.6", "rc@^1.2.8" etc, all of which would install 1.2.9 if reinstall the deps