its so wild to have seen this advice reverse course over the past year. it used to be that project...

jonchurch_ • yesterday at 10:10 PM • 1 reply • view on HN

its so wild to have seen this advice reverse course over the past year.

it used to be that projects that pinned deps were called out as being less secure due to not being able to receive updates without a publish.

different times, different threat model I suppose

Replies

n_e • yesterday at 10:56 PM

> it used to be that projects that pinned deps were called out as being less secure due to not being able to receive updates without a publish.

This is still the right advice for libraries. For security it doesn’t matter a whole lot anymore as package managers can force the transitive dependencies version, but it allows for much better transitive dependency de duplication.

For non-libraries it doesn’t matter as the exact versions get pinned in the package-lock.

alt Hacker News

Replies