Quick rust rant: Cargo's default requirements are insane. For a language that prides itself on safety and security - it should be falling into a pit of safety everywhere, especially with supply chain. If I type in the package version "1.2.3" - I'm typically not expecting the possibility of "1.99.99" as well. While I think npm versioning has too many options, at least if you type a full specifier, you get the full specifier and nothing else. Sane default. To take it a step further, I think without a range, caret, or tilde - you should enforce wildcards so people always know what they're getting into.

Default requirements

Default requirements specify a minimum version with the ability to update to SemVer compatible versions. Versions are considered compatible if their left-most non-zero major/minor/patch component is the same. This is different from SemVer which considers all pre-1.0.0 packages to be incompatible.

1.2.3 is an example of a default requirement.

1.2.3  :=  >=1.2.3, <2.0.0
1.2    :=  >=1.2.0, <2.0.0
1      :=  >=1.0.0, <2.0.0
0.2.3  :=  >=0.2.3, <0.3.0
0.2    :=  >=0.2.0, <0.3.0
0.0.3  :=  >=0.0.3, <0.0.4
0.0    :=  >=0.0.0, <0.1.0
0      :=  >=0.0.0, <1.0.0

Yeah, that is mental

The other one is that crates.io still (as far as I can see) mandated namespaced crates. Relying on a flat namespace is a great way to get name squatters and it just makes the dependency space more confusing. NPM eventually added, and I think JSR mandates namespaces. Even the standard library for Deno is namespaced: https://jsr.io/@std Makes fat-fingering a squatted package even harder if instead of:

tokio = ...
axum = ...
prost = ...

I had to do:

@tokio/runtime = ...
@tokio/axum = ...
@tokio/prost = ...

Becomes an org squatting issue, but that is a more tractable problem I think