|
|
|
|
|
|
by mirashii
1438 days ago
|
|
|
Semver promises are insufficient in a world where supply chain attacks are increasingly common. Pulling untested and invalidated code in at every project build is how that transitive dependency on a package that was taken over for a small window wrecks your development team. You should never be pulling in new code by surprise, it should always be something I’m aware of and signing up for. The Rust ecosystem is good evidence that locking doesn’t kill semver. Semver is still widely used and has all of its meaning. |
|
|