| ▲ | madeofpalk 3 days ago | |
? Package lock files from npm/yarn/pnpm automatically lock all your dependencies (including transitive deps) What does this actually achieve? | ||
| ▲ | apimade 2 days ago | parent | next [-] | |
Accidentally installing a malicious package in your dev environment, the concern isn’t “what’s already installed”, it’s what’s potentially going to be installed in the future by you or your colleagues. So, you pin the version and update periodically when security issues arise in your dependencies. | ||
| ▲ | user34283 3 days ago | parent | prev [-] | |
Maybe the same as if "npm config set save-exact true" was enabled when adding the dependencies. Whether that's so important, I'm not sure. | ||