Y
Hacker News
new
|
ask
|
show
|
jobs
by
vel0city
282 days ago
The package-lock.json includes a hash of the package, not just a version number which
should
be immutable.
1 comments
whilenot-dev
282 days ago
To add to this: the hash in the lock file is the checksum of the published tarball, not the commit hash.
link
cluckindan
281 days ago
And then someone runs `npm install` on their CI
link