| ▲ | broken_broken_ 4 days ago | |
I agree with the premise, just use a specific version of your dependencies, that’s generally fine. However: You absolutely do need a lock file to store a cryptographic hash of each dependency to ensure that what is fetched has not been tampered with. And users are definitely not typing a hash when adding a new dependency to package.json or Cargo.toml. | ||
| ▲ | chriswarbo 4 days ago | parent [-] | |
> And users are definitely not typing a hash when adding a new dependency to package.json or Cargo.toml I actually much prefer that: specify the git revision to use (i.e. a SHA1 hash). I don't particularly care what "version number" that may or may not have. | ||