pinning while more reliable is not actually fully reliable. If you want reliable... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

greggman on Nov 12, 2017 | parent | context | favorite | on: The cargo cult of versioning

pinning while more reliable is not actually fully reliable. If you want reliable you should be checking in copies of your dependencies either directly or as sub modules. then if you want to upgrade you check in the latest. Pinning still allows the person in control of the 3rdparty repo to mess you up. Your reproducibility is still at their mercy.

viraptor on Nov 12, 2017 [–]

That depends on the repo. Some do not allow changes (short of the repo itself failing). Some allow only withdrawing versions, but no changes.

But yes, you should either commit deps, or have your own repo/caching-proxy which will neither change nor drop old versions.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact