# Pin exact versions when adding new dependencies (no ^ or ~ prefix).
# This prevents accidentally pulling in a compromised newer version
# when running `npm install <package>`. Updates are intentional via
# `npm update` or Dependabot PRs — both go through CI review.
save-exact=true
