Skip to content
Better HN
Top
Best
Ask
Show
New
Jobs
Search
⌘K
0 points
bombolo
3y ago
0 comments
Save
Share
It's more dangerous to let people pin dependencies and have vulnerable libraries in use forever.
0 comments
3 comments · 1 top-level
top
newest
oldest
burntsushi
3y ago
· 2 in thread
Who says the distros are
using
the lock file? AFAIK, Debian doesn't use ripgrep's lock file, for example. They don't have to, because of semver.
LtWorf
3y ago
What's the point of the lockfile then?
burntsushi
3y ago
For people that want to build with the exact set of dependency versions tested by upstream. Just because some distros don't use them doesn't mean there isn't any point.
j
/
k
navigate · click thread line to collapse
