Why It Matters

Unbounded dependency selectors reduce reproducibility and make installs drift over time, which increases supply-chain review risk for shared automation and CI.

What Triggers

SEC745 matches dependency entries in package.json when the version spec is exactly * or latest inside dependency sections such as dependencies, devDependencies, optionalDependencies, or peerDependencies.

False Positives

Some throwaway demos use latest or *, but committed shared manifests should prefer explicit reviewed versions or constrained ranges so installs stay predictable.

Remediation

Replace * or latest with an explicit reviewed version or a constrained range that matches your update policy.