undefined | Better HN

0 pointsbombolo3y ago0 comments

It's more dangerous to let people pin dependencies and have vulnerable libraries in use forever.

0 comments

Who says the distros are using the lock file? AFAIK, Debian doesn't use ripgrep's lock file, for example. They don't have to, because of semver.

LtWorf3y ago

What's the point of the lockfile then?

burntsushi3y ago

For people that want to build with the exact set of dependency versions tested by upstream. Just because some distros don't use them doesn't mean there isn't any point.

j / k navigate · click thread line to collapse

0 pointsbombolo3y ago0 comments

It's more dangerous to let people pin dependencies and have vulnerable libraries in use forever.

0 comments

burntsushi3y ago

Who says the distros are using the lock file? AFAIK, Debian doesn't use ripgrep's lock file, for example. They don't have to, because of semver.

LtWorf3y ago

What's the point of the lockfile then?

burntsushi3y ago

For people that want to build with the exact set of dependency versions tested by upstream. Just because some distros don't use them doesn't mean there isn't any point.

j / k navigate · click thread line to collapse