[laurowyn]

Pin all you want, if the repo/vendor/maintainer pulls the release then you're not getting access to your dependencies at all.

If anything, this is the reason you use pull-through proxies. Your proxy will hold the version you depend on, regardless of upstream drama. Keep your proxy backed up and you'll be able to use those dependencies until the end of time, or you finally decide to migrate to an alternative.

[maxwell86]

> if the repo/vendor/maintainer pulls the release

If your package system allows this switch to another one, like, right now.

NPM, Cargo, etc. don't allow this (they "unlist" versions, but they don't "remove" them, i.e. you can't search for them, but they are still there).

[cerved]

there are other benefits with proxies but fair point

[chmod775]

> NPM, Cargo, etc. don't allow this

I'd say the likelihood is about 50% you have a NPM package in your dependencies right now that pulls some binary or whatever from a random S3 bucket during installation.

[chmod775]

> Pin all you want, if the repo/vendor/maintainer pulls the release then you're not getting access to your dependencies at all.

And that's among the reasons people have started to commit their node_modules folders.

It has the neat side-effect of making people take a closer look at all the crap their pulling in too.

[rane]

Offline cache with Yarn 2+ protects against this and other network failures when building CI, for example.

[junon]

> pulls the release then you're not getting access to your dependencies at all.

NPM no longer allows this.

[kristjansson]

Which is why you pull through a private mirror that doesn’t respect delete?