đź“ť Minimal Version Selection Revisited (Alex Kladov).
This is quite neat — it puts a natural damper on the supply chain attacks. If a bad version of a library is released, someone needs to explicitly opt into this new version. What’s more, the deeper in your dependency tree the library is, the more explicit approvals are required for the library to propagate to your project.