[iainmerrick]

This something I really don’t understand about Deno. I feel like I must be missing something.

How do I pin the versions of my dependencies? i.e. where is the package lock file?

If the idea is that every source file will specify the version it wants of every dependency, that seems unmanageable. Or if every source file just imports the latest version of its deps, how do I get reproducible builds?

I want a lockfile with an explicit manual step to update dependencies. “npm ci” seems to work well. I don’t see how Deno improves on it, quite the reverse.

Edit to add: hmm, there are some docs here that look relevant: https://deno.land/manual/linking_to_external_code/integrity_... But this reads as “if you really want package integrity, here are some awkward commands you can run to do it”. I strongly feel this should be the default behaviour that the tools should steer you towards. And in the examples on this page, the source code does link to specific library versions; I have a hard time accepting that that’s a good idea, except possibly for major versions.

[wperron]

yeah, it's a bit awkward and you have to dig through the docs to find it. We're thinking about making it the default behavior.

[iainmerrick]

Please do! I think that would be a big win.

The package integrity and import maps sections of the docs look like they do everything that’s needed, they just look fiddly to use correctly.

Maybe it just wants something as simple as an optional .denorc at the root of your project to set the default flags?

[mekkkkkk]

If you want to use locked version deps from VCS you point to a specific tag, not a branch IIRC.