Hacker News new | ask | show | jobs
by Already__Taken 281 days ago
We didn't get locking until npm v5 (some memory and googling, could be wrong.) And it took a long time to do everything you'd think you want.

Changing the main command `npm install` after 7 years isn't really "stable". Anyway didn't this replace versions, so locking won't have helped either?
2 comments
minitech 280 days ago
You can’t replace existing versions on npm. (But probably more important is what @jffry mentioned – yes, lockfiles include hashes.)
link
jffry 280 days ago
> Anyway didn't this replace versions, so locking won't have helped either?

The lockfile includes a hash of the tarball, doesn't it?

link
Already__Taken 280 days ago
It does, the answer to my question was no.
link