github:feross/buffer version is not pinned

[IlyaSemenov]

Describe the bug
github:feross/buffer version is not pinned and updates on every occasion (causes undesired pnpm-lock.yaml update on unrelated operations).

See:

easy-web-crypto/package.json

Line 42 in 0660046

"buffer": "github:feross/buffer"

To Reproduce
Steps to reproduce the behavior:

1. In a pnpm project, run: pnpm add easy-web-crypto.
2. Update pnpm-lock.yaml to some older github.com/feross/buffer commit:

  github.com/feross/buffer/5ac5ac465976d40de0cf3bc3afd9ec9ca04975f2:
    resolution: {tarball: https://codeload.github.com/feross/buffer/tar.gz/5ac5ac465976d40de0cf3bc3afd9ec9ca04975f2}
    name: buffer
    version: 6.0.3
    dependencies:
      base64-js: 1.5.1
      ieee754: 1.2.1
    dev: false

3. Install some unrelated dependency: pnpm add dotenv-cli
4. The lock file updates to include the new buffer commit:

--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -223,6 +223,9 @@ importers:
       '@vitejs/plugin-vue':
         specifier: ~5.0.4
         version: 5.0.4(vite@5.1.3)(vue@3.4.19)
+      dotenv-cli:
+        specifier: ~7.3.0
+        version: 7.3.0
       sass:
         specifier: ~1.49.11
         version: 1.49.11
@@ -3848,7 +3851,7 @@ packages:
   /easy-web-crypto@1.2.10:
     resolution: {integrity: sha512-amZj0CYkLAr9GN40HscaGBgs8J3gX6zIBvN2MU6ZLLvKy3AHxEGPZDoNxvOYJR7ZT8P5bSRjUl/Jfb5KCh6q+A==}
     dependencies:
-      buffer: github.com/feross/buffer/5ac5ac465976d40de0cf3bc3afd9ec9ca04975f2
+      buffer: github.com/feross/buffer/5857e295f4d37e3ad02c3abcbf7e8e5ef51f3be6
     dev: false

   /ee-first@1.1.1:
@@ -8167,8 +8170,8 @@ packages:
     engines: {node: '>=12.20'}
     dev: true

-  github.com/feross/buffer/5ac5ac465976d40de0cf3bc3afd9ec9ca04975f2:
-    resolution: {tarball: https://codeload.github.com/feross/buffer/tar.gz/5ac5ac465976d40de0cf3bc3afd9ec9ca04975f2}
+  github.com/feross/buffer/5857e295f4d37e3ad02c3abcbf7e8e5ef51f3be6:
+    resolution: {tarball: https://codeload.github.com/feross/buffer/tar.gz/5857e295f4d37e3ad02c3abcbf7e8e5ef51f3be6}
     name: buffer
     version: 6.0.3
     dependencies:

Expected behavior
buffer is pinned to some specific github commit (or simply to ^6.0.3), not latest, and doesn't cause unrequested lockfile updates. This also prevents from sudden crashes due to breaking changes in buffer.

Environment:

• OS: macOS
• Node: 20.11.1
• pnpm: 8.15.2

Additional context
To be honest I don't see why it's necessary to pull buffer from github and not from npm. Granted, it hasn't been published for 3 years, but at least simple operations (genEncryptedMasterKey, encrypt, decrypt) work fine with buffer@6.0.3.