That literally makes no difference at all. You’ll just vendor the malicious versions. No, a lock file with only exact versions is the safe path here. We haven’t seen a compromise to existing versions that I know of, only patch/minor updates with new malicious code.

I maintain that the flexibility in npm package versions is the main issue here.

To be fair this does only work in ecosystems where libraries are stable and don't break every 3 months as it often happens on the JS world.

You can vendor your left-pad, but good luck doing that with a third-party SDK.

that's what I do whenever feasible. Which is often