Hacker News new | ask | show | jobs
by andrejserafim 1959 days ago
Why would you want your CI to depend on an external source. Say a legit upgrade happened, but it has a breaking change. Now your build is broken.

Fixed versions for as many things as you can (including OS images, apt packages, Docker images, etc) lead to changes in your CI under your control.

Sure, you have to upgrade manually or by a script. But isn't plain build stability worth it? Not even talking about security.
1 comments
HereBeBeasties 1959 days ago
It probably doesn't. But are you saying devs never updates their dependencies?
link
andrejserafim 1957 days ago
When one updates internal dependency versions one usually has to find them. At least that was the story with my gigs. So there's a listing somewhere.

So you wouldn't get a random version even considered.

Version shadowing and overriding is a totally different concern of course.

link