svg-url-loader: problem with `file-loader` and deps

Really, look on other popular repos and you can see 99% deps are using ^. Do you think they are all mistaken?

I don’t really care about how popular repos are doing things. It’s a thing you should look at, but being popular does not mean they all are doing things right. We had 3 cases when karma dependency specified as ^ caused build issues for us (at that time we were not using lockfile). If karma used pinned versions down the dependency tree, we won’t have any issue, even without lockfile.

Problem what you potentially spread version with bugs or vulnerabilities.

Everyone, always, spreads versions with potential bugs or vulnerabilities. The problem is how fast he will fix security issues.
With fixed (and latest) dependencies I publish version which works and doesn’t have any security issues, unless found. When someone finds a security issue, he releases a new version, I update the version number in my package and everything is fine.
I’ve already changed to have ~ as packages usually publish patch versions when they fix security issues. I think it is extremely rare to publish minor version for fixing security issue and it is not a good practice by definition: “PATCH version when you make backwards compatible bug fixes.” (this is taken from https://semver.org/)

There is a lot of documentation about this, I’m not the first time explaining this and you really can easily find articles about it.

I think we don’t understand each other. As I’ve said, send me the link to the long, detailed article you already agree with. Perhaps after I’ll go through it, it will make conversation more productive.

Otherwise I am going to lock this issue as this conversation seems to be going nowhere.