undefined | Better HN

0 pointswhat1mo ago0 comments

Pinning doesn’t help you. They can replace the package and you’ll get the new one. You have to vendor the dependencies.

0 comments

Pinning the SHA package hash would help? I am not too familiar with Python dependency management, so not sure if this is supported.

I don't think pypi or npm allow replacing existing packages?

j / k navigate · click thread line to collapse

Pinning the SHA package hash would help? I am not too familiar with Python dependency management, so not sure if this is supported.

I don't think pypi or npm allow replacing existing packages?

j / k navigate · click thread line to collapse