PIN YOUR DEPENDENCIES (Or how I broke CRA for everyone today)

Created by: shellscape

Is your proposal related to a problem?

Sure is. I'm the maintainer of webpack-manifest-plugin and I bricked create-react-app for a few minutes this morning. Turns out that npm had one of those very rare npm pack hiccups and a version snuck out to the registry without any dist code.

Describe the solution you'd like

Pin your dang dependencies, people! This project is big enough and used by enough people (especially the legions of newbies who don't know how to diagnose or triage dependency issues) that this project should not be using transitive dependencies for critical pieces of library architecture. This https://github.com/facebook/create-react-app/blob/221e511730ca51c036c6954a9d2ee7659ff860f9/packages/react-scripts/package.json#L76 should not be transitive, it should be pinned.

CRA won't start up if webpack-manifest-plugin is hosed. And it was. So it was effectively bricked.

Describe alternatives you've considered

Pray to the Flying Spaghetti Monster (didn't work)

Additional context

Given the issues that we've seen recently, and most recently with colors.js bricking the world, this seems wise to resolve. I'd bet there are a bunch more critical deps that won't allow CRA to start up should something be awry as well.