I am disturbed by the caviler dismissal of the security vulnerability created by mutable and upgradeable versions.<p>npm does not have "immutable versions" -- the library you depend on can be replaced with different code given the same version label and with a normal toolchain this change would be picked up without even alerting you. As far as I can tell, this has not been exploited, but it is ripe for abuse.<p>Furthermore, a package manager is more than just the server it runs on -- things like the culture of how it is used also matter. As far as I can tell (please convince me I am wrong about this), common practice with npm is to import "the latest" version of a library -- that's a security problem AND a version incompatibility just waiting to bite someone.