Description
Description of the bug
The documentation specifies that either npm install or yarn install are call however, it is widely known that these calls can result in newer versions of packages being installed that meet the package.json version pattern requirements. It it generally best practice to use npm ci & yarn install --frozen-lockfile to ensure that only the versions specified in the lock files are what is actually installed.
- NPM: https://docs.npmjs.com/cli/v10/commands/npm-ci
- Yarn: https://classic.yarnpkg.com/lang/en/docs/cli/install/
If you need reproducible dependencies, which is usually the case with the continuous integration systems, you should pass --frozen-lockfile flag.
Reproduction instructions
Setup a repository with this package with a minimal configuration and a lock file. Observe that patch releases may automatically be installed that are not what's listed in the lock file.
Expected behavior
When packages are installed they should only be the versions in the lock file.
Environment info
No response
Relevant log output
No response
Additional context
No response
Code of Conduct
- I agree to follow this project's Code of Conduct