No wildcard or excessively loose version ranges

Why it matters

Wildcard and unbounded version specifiers like *, latest, and >=1.0.0 mean that every npm install across your team and CI pipeline can resolve to a different package version — potentially including versions published hours ago by a compromised maintainer. SLSA L2 requires that the build be reproducible from a pinned artifact; "package": "latest" makes that impossible. CWE-1357 covers reliance on components that cannot be verified to a fixed state. SSDF PS.1 (Protect All Code from Unauthorized Access and Tampering) implicitly requires that the software composition be deterministic. AI tools in particular have a habit of generating "latest" as a version specifier — it seems convenient but it converts every npm install into a potential silent update from the registry.

Remediation

Replace all wildcard specifiers with pinned caret ranges. To find the currently-installed version for any dependency:

npm list package-name

Then update package.json:

// Before (dangerous):
"some-package": "*",
"another-package": "latest"

// After (safe):
"some-package": "^2.3.1",
"another-package": "^4.0.0"

Commit the resulting lock file change alongside this fix to ensure the pins are fully recorded.

Detection

ID: dependency-supply-chain.maintenance.no-wildcard-versions
Severity: medium
What to look for: Inspect dependencies and devDependencies in package.json for version specifiers that allow unbounded version resolution: * (any version), x (same as *), latest (resolves to whatever is latest at install time), or ranges like >=1.0.0 without an upper bound. The ^ caret (e.g., ^1.2.3) is acceptable because it allows minor/patch updates within the same major. The ~ tilde (e.g., ~1.2.3) is acceptable. >=1.0.0 without a <2.0.0 upper bound is not acceptable. Count all instances found and enumerate each.
Detector snippet (shell-capable tools only): If rg is available, scan package.json for literal "*" or "latest" version specifiers. Exit 0 with output means at least one wildcard exists — fail with count. Exit 1 with no output means no wildcards — pass. Exit >=2 — fall back to prose reasoning.
```
rg '"(\*|latest)"' package.json
```
Pass criteria: All version specifiers use specific versions (1.2.3), caret ranges (^1.2.3), tilde ranges (~1.2.3), or other bounded ranges. No *, latest, x, or unbounded >= ranges. At least 1 implementation must be confirmed.
Fail criteria: Any entry in dependencies or devDependencies uses *, latest, x, or an unbounded >= range.
Skip (N/A) when: No package.json detected.
Detail on fail: "package.json has wildcard version specifiers: some-package: '*', another-package: 'latest' — these resolve to unpredictable versions at install time" List up to 5 affected packages.
Remediation: Wildcard version specifiers mean your project installs whatever version is current at the time of npm install. This can silently introduce breaking changes or malicious updates.

Replace wildcards with specific pinned versions or caret ranges:
```
// Before (dangerous):
"some-package": "*",
"another-package": "latest"

// After (safe):
"some-package": "^2.3.1",
"another-package": "^4.0.0"
```
To see the currently installed version and use that as your pin:
```
npm list some-package
```

Why it matters

Remediation

Replace all wildcard specifiers with pinned caret ranges. To find the currently-installed version for any dependency:

npm list package-name

Then update package.json:

// Before (dangerous):
"some-package": "*",
"another-package": "latest"

// After (safe):
"some-package": "^2.3.1",
"another-package": "^4.0.0"

Commit the resulting lock file change alongside this fix to ensure the pins are fully recorded.

Detection

ID: dependency-supply-chain.maintenance.no-wildcard-versions
Severity: medium
What to look for: Inspect dependencies and devDependencies in package.json for version specifiers that allow unbounded version resolution: * (any version), x (same as *), latest (resolves to whatever is latest at install time), or ranges like >=1.0.0 without an upper bound. The ^ caret (e.g., ^1.2.3) is acceptable because it allows minor/patch updates within the same major. The ~ tilde (e.g., ~1.2.3) is acceptable. >=1.0.0 without a <2.0.0 upper bound is not acceptable. Count all instances found and enumerate each.
Detector snippet (shell-capable tools only): If rg is available, scan package.json for literal "*" or "latest" version specifiers. Exit 0 with output means at least one wildcard exists — fail with count. Exit 1 with no output means no wildcards — pass. Exit >=2 — fall back to prose reasoning.
```
rg '"(\*|latest)"' package.json
```
Pass criteria: All version specifiers use specific versions (1.2.3), caret ranges (^1.2.3), tilde ranges (~1.2.3), or other bounded ranges. No *, latest, x, or unbounded >= ranges. At least 1 implementation must be confirmed.
Fail criteria: Any entry in dependencies or devDependencies uses *, latest, x, or an unbounded >= range.
Skip (N/A) when: No package.json detected.
Detail on fail: "package.json has wildcard version specifiers: some-package: '*', another-package: 'latest' — these resolve to unpredictable versions at install time" List up to 5 affected packages.
Remediation: Wildcard version specifiers mean your project installs whatever version is current at the time of npm install. This can silently introduce breaking changes or malicious updates.

Replace wildcards with specific pinned versions or caret ranges:
```
// Before (dangerous):
"some-package": "*",
"another-package": "latest"

// After (safe):
"some-package": "^2.3.1",
"another-package": "^4.0.0"
```
To see the currently installed version and use that as your pin:
```
npm list some-package
```

No wildcard or excessively loose version ranges

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

No wildcard or excessively loose version ranges

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History