Lock dependency versions. Upgrade just ONCE per 3-12 months.

[paulmillr]

Which project does this relate to?

Router

Describe the bug

Context: I make security-focused NPM packages, with more downloads than tanstack-router. I've been trying to improve state of the ecosystem for 7 years, by reducing amount & size of deps.

---

When pull requests like #7430 are created, it feels odd. There are tens of dependency updates. How would you know that some of them weren't hacked? How do you know a new malware hadn't been added? Also, why is it necessary to always upgrade packages?

The idea is to:

1. Remove version ranges. This means no more ^7.28.5. Instead, 7.28.5 should be used. This will ensure auto-upgrades won't happen automatically
2. Follow rare upgrade schedule. It's completely unnecessary to upgrade versions every week. Or every month. This sounds like unnecessary "busy job" which doesn't automatically improve your product. Sure, there are small improvements in dependencies, here and there, but overall software tends to increase bloat over time. IMO, keeping just one version is good enough, even for 12 months. After 12 months, a detailed (manual, not automatic) upgrade review could be executed.

Complete minimal reproducer

https://example.com

[paulmillr]

No feedback? Team isn’t interested in this?