| ▲ | Already__Taken 4 days ago | |||||||||||||
We didn't get locking until npm v5 (some memory and googling, could be wrong.) And it took a long time to do everything you'd think you want. Changing the main command `npm install` after 7 years isn't really "stable". Anyway didn't this replace versions, so locking won't have helped either? | ||||||||||||||
| ▲ | minitech 3 days ago | parent | next [-] | |||||||||||||
You can’t replace existing versions on npm. (But probably more important is what @jffry mentioned – yes, lockfiles include hashes.) | ||||||||||||||
| ▲ | jffry 3 days ago | parent | prev [-] | |||||||||||||
> Anyway didn't this replace versions, so locking won't have helped either? The lockfile includes a hash of the tarball, doesn't it? | ||||||||||||||
| ||||||||||||||