A patch updates is a newer version, and they are just as likely to be compromised by supply chain attacks as minor or major updates.
replyNot exactly.
replySecurity patches aren't like bugs or features where you can just roll a new version. Often patches need to be backported to older versions allowing software and libraries to be "upgraded" in place with no other change introduced.
Say you had software that controlled the careful mix of chemicals introduced into a municipal water supply. You just don't move from version 1.4 to 3.2, you fix 1.4 in place.
No, you create version 1.4.19, which fixes a bug in 1.4.18.
replyWho is 'you' here? All of the npm package maintainers?
replyYes, if they all just backport security patches we'll be fine. No, people are not going to just.
Ah yes the incredibly common practice of... checks notes backporting security packages in node packages.
replySemver doesn't help if you just declare all older versions EOL.
replyWhat you're looking for are Debian stable packages. :p