Thoughts on locking version of "ms" dependency?

Hello 👋 I wanted to open this issue to get a gauge on the single dependency the module has.

Currently this module as a dependency on ms with the semver range set to ^2.1.1.

This in itself is not bad. I know bumping dependency versions is annoying, as well.

I just wanted to check on if there would be strong disinterest in setting it to, like 2.1.1. The reason I’m even bothering to ask is because I love this module, and love using it. When I look at the modules in use, I look at the list of users who can affect the final install. When another package (package_a) takes a dependency on debug, even if it pins the version of debug it depends on (thus none of the debug publishers can affect package_a), all the current and future publishers of ms can still alter the final install of package_a, which means users of package_a must trust the author(s) of ms.

The ms module does not seem to change regularly, so that why I’m even bothering to propose this to get a gauge on the opinions here.

If it’s agreeable, I can make a pull request with the change, even. I’d love to see it backported to the 3.x series (as it seems there have been backports according to npm info debug time), but if 3.x is dead now, then even just 4.x is cool.

Let me know what you think, and if you’re “no” you won’t hurt my feelings 😃