I am more and more of the opinion that relying on semantic versioning conventions (e.g. using "module": "^1.2.3", in your package.json) is a bad idea. A convention is not a guarantee. Something like Renovate is safer, especially in combination with a good test suite.