[BUG] Extensions with package.json should fetch exact version from CDN

[philippjfr]

Currently pre-built extensions with a package.json generate a CDN URL using:

cdn_url = f"{_default_cdn_host}/{pkg_name}@^{pkg_version}/{pkg_main}"

While following semver makes might be a technically justifiable position it can cause very hard to debug issues because the caret (^) means that NPM will fetch any “Compatible with version”, i.e. all minor/patch versions, without incrementing the major version. ^2.3.4 will use releases from 2.3.4 to <3.0.0. Since almost no library actually follows semver this means that even though you might have installed Panel 0.11.3 in Python it will still fetch panel.js 0.12.0 from CDN.

Therefore I would strongly suggest that it specifies the exactly matching version from CDN.

[bryevdv]

Therefore I would strongly suggest that it specifies the exactly matching version from CDN.

For extensions I agree 100%. I suppose we could make it configurable but default to exact versions.