Y
Hacker News
new
|
ask
|
show
|
jobs
by
vablings
64 days ago
Wait, you're telling me that node deps are not pin by default. Every time you run your code you might be pulling in a new version.
No wonder...
1 comments
hombre_fatal
64 days ago
Node deps are pinned:
https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-j...
The problem is that you also want to update deps.
link
bfivyvysj
64 days ago
Why?
link
NetMageSCW
63 days ago
Because they could have a security flaw that might compromise your project or any users of it.
link
vablings
63 days ago
For any of my rust projects I really don't bump my deps unless dependabot shows a serious vulnerability or I want to use a new feature added. Outside of that my deps are locked to the last known good version i use.
link
The problem is that you also want to update deps.