|
|
|
|
|
|
by acdha
41 days ago
|
|
|
Why don’t I need them? I can’t make every third-party package do exact version pins and it’d be miserable if I could because then I couldn’t patch a transitive dependency faster than the upstream even if there’s a drop-in patch release which is 100% compatible. Even if that worked, I’d also want hashes to avoid file modification, although that’s less of a concern for anything on Maven Central where the releases are immutable. |
|
|
Every third-party package already uses exact version dependencies, you don't need to do anything.
> then I couldn’t patch a transitive dependency faster than the upstream even if there’s a drop-in patch release which is 100% compatible.
You can always override the transitive dependency version if you want to.
> I’d also want hashes to avoid file modification, although that’s less of a concern for anything on Maven Central where the releases are immutable.
It's not just Maven Central, there's a strong norm of releases being immutable everywhere. If you're worried about attacks, there's a plugin you can enable to check the GPG signatures.