Skip to content

feat: pin dependencies#46

Merged
knocte merged 1 commit into
masterfrom
wip/pinDeps
May 21, 2026
Merged

feat: pin dependencies#46
knocte merged 1 commit into
masterfrom
wip/pinDeps

Conversation

@knocte
Copy link
Copy Markdown
Contributor

@knocte knocte commented May 21, 2026

I've been a long proponent of not updating deps for update sake, and even if I have refused to use dependabot for long time, this is not enough in the NPM ecosystem because deps can still be updated by your users due to this dreadful ^ character next to the version number of your dependency.

Now, in this climate of constant supply-chain attacks, finally decent devs from the industry are starting to speak up about this shit[1] and also taking action[2], so I'll follow suit.

[1] https://x.com/mitchellh/status/2057171518027887035
[2] earendil-works/pi@2e02c74

@knocte
feat: pin dependencies
e15b16e 
I've been a long proponent of not updating deps for update sake,
and even if I have refused to use dependabot for long time, this
is not enough in the NPM ecosystem because deps can still be
updated by your users due to this dreadful ^ character next to
the version number of your dependency.

Now, in this climate of constant supply-chain attacks, finally
decent devs from the industry are starting to speak up about
this shit[1] and also taking action[2], so I'll follow suit.

[1] https://x.com/mitchellh/status/2057171518027887035
[2] earendil-works/pi@2e02c74
@knocte knocte merged commit 4552ab6 into master May 21, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@knocte