Description

tman install uses a best-effort approach with the manifest-lock file, meaning the actual downloaded dependency versions may differ from those described in the manifest-lock file, leading to "implicit" version dependencies.
The desired approach is a stricter method that strictly follows the manifest-lock file to ensure explicit and traceable dependency versions. This is primarily intended for CI build and packaging scenarios. A potential additional optimization is that it would no longer need to search for more suitable packages, but instead download them directly, saving time.

Severity

Major

Additional Information

npm ci may be a good reference.