|
|
|
|
|
|
by lmm
45 days ago
|
|
|
> I can’t make every third-party package do exact version pins Every third-party package already uses exact version dependencies, you don't need to do anything. > then I couldn’t patch a transitive dependency faster than the upstream even if there’s a drop-in patch release which is 100% compatible. You can always override the transitive dependency version if you want to. > I’d also want hashes to avoid file modification, although that’s less of a concern for anything on Maven Central where the releases are immutable. It's not just Maven Central, there's a strong norm of releases being immutable everywhere. If you're worried about attacks, there's a plugin you can enable to check the GPG signatures. |
|
|