|
|
|
|
|
|
by hobofan
1206 days ago
|
|
|
> Just saying, I'm not sure auto semver with lockfiles is really a win over just locking to begin with. It's still a win even if you consider only patch version updates. Without that, for a CVE in a dependency, every dependent package will have to update, and will first have to wait for the lower level to update and publish a new version. So for a dependency ~4 layers deep, with coordination and publishing lag in between, this can quickly take more than a week (and this is assuming responsive maintainers). |
|
|