undefined | Better HN

0 pointsvorticalbox4mo ago0 comments

the issue is not that devs don't know what they are its that they don't pin packages

if you run `npm i ramda` it will set this to "ramda": "^0.32.0" (as of comment)

that ^ means install any version that is a feature or patch.

so when a package is released with malware they bump version 0.32.1 and everyone just installs it on next npm i.

pinning your deps "ramda": "0.32.0" completely removes the risk assuming the version you listed is not infected.

the trade off is you don't get new features/patches without manually changing the version bump.

0 comments

dboreham4mo ago

For context: ramada 0.32.0 isn't a concrete thing, in the sense that glibc 2.35 is. It really means "the latest ramada code because if you were to pin on this version it'll at some point stop working". glibc 2.35 never stops working.

christophilus4mo ago

> the trade off

I see that as a desirable feature. I don’t want new functionality suddenly popping into my codebase without one of my team intending it.

vorticalboxOP4mo ago

me too but a lot of people see it as massive overhead they don't want to deal with.

personally i pin all mine because if you don't a version could be deployed during a pipeline and this makes your local version not the same as the one in docker etc.

pinning versions is the only way to be sure that the version I am running is the same as everyone elses

j / k navigate · click thread line to collapse