undefined | Better HN

0 pointspetepete4y ago0 comments

For the stuff I work on I prefer the big diffs to be hidden. It's nearly always yarn.lock and I have no desire to see that monstrosity in all its glory.

0 comments

MitchellCash4y ago

I think we can get the best of both worlds by hiding lock files by default and always showing any actual code file diffs. Performance may be a factor for very large diffs, but this would actually be my preference to how the default behaviour would work as I agree with you and the parent post.

petepeteOP4y ago

A toggle in GitHub settings to automatically collapse `*.lock` files would be a massive step in the right direction.

iovrthoughtthis4y ago

i have no idea why we include these in code reviews tbh

eloisius4y ago

Not saying I review dependency locks as well as I should, but one reason to is to prevent supply chain attacks. E.g. making a typo that installs a malicious package. I recently saw a $60k beast of a machine with 64 cores get pwnd. We all wondered why “-bash” was burning 48 cores of CPU until I attached strace to it and we saw JSON RPC messages indicative of crypto mining. Everyone with access to the machine is trustworthy, but someone may have typo’d a pip install or something like that.

j / k navigate · click thread line to collapse