| ▲ | hmokiguess 3 hours ago | |
At my former job we had a private registry that was a mirror of npm’s with an approval gate for packages devs would request and it would always pin versions I took that for granted back then and just assumed it was standard enterprise policy | ||
| ▲ | jamesfinlayson 40 minutes ago | parent [-] | |
Multiple previous jobs had this too (local Packagist is thing, Artifactory is another) but my current job got rid of theirs. Seemed a little short-sighted given the risks but I don't make the decisions. | ||