Does the allow list in package.json pin to the package version, or only to the package name?