Those are just as easy when using the standard "semver compatible with the specified version" approach. The lockfile will prevent such attacks on build, and on upgrade it doesn't really matter security wise if the new version has the same major version.