undefined | Better HN

0 pointshobofan3y ago0 comments

> Just saying, I'm not sure auto semver with lockfiles is really a win over just locking to begin with.

It's still a win even if you consider only patch version updates. Without that, for a CVE in a dependency, every dependent package will have to update, and will first have to wait for the lower level to update and publish a new version. So for a dependency ~4 layers deep, with coordination and publishing lag in between, this can quickly take more than a week (and this is assuming responsive maintainers).

0 comments

tracker13y ago

A lot of time that happens anyway... at least with npm... there are a lot of times you see warnings, that you cannot resolve because of a nested dependency that is more than a point release off.

j / k navigate · click thread line to collapse

0 pointshobofan3y ago0 comments

> Just saying, I'm not sure auto semver with lockfiles is really a win over just locking to begin with.

0 comments

tracker13y ago

A lot of time that happens anyway... at least with npm... there are a lot of times you see warnings, that you cannot resolve because of a nested dependency that is more than a point release off.

j / k navigate · click thread line to collapse