Please consider not pinning direct dependencies

[wraithgar]

In the most recent version of this package, the dependency for cidr-regex was pinned to an exact version. I don't now the reasons for that, the commit doesn't mention one. I would urge the maintainers of this package to reconsider.

Semver ranges are an important part of tree building in the node ecosystem. It allows for dependencies to be used based on compatibility, and lessens the likelihood that every package in your tree is using a wholly separate individual version of a dependency.

[silverwind]

In the light of recent npm supply chain attacks, I've moved to pin dependencies which is more secure because it eliminates a attack vector through indirect dependencies. But this of course comes at the cost of having multiple versions of the package in the tree.

Maybe I will make an exception for dependencies on my own modules, because if my npm account is compromised, it's likely that all modules would be compromised, so the pin would not bring much security benefit. Or maybe I will just bundle the dependency.