top | item 24173900

(no title)

ss3000 | 5 years ago

In practice the biggest issue I've found with git+pinned hashes as dependencies is most public sources of remote git repositories allows the repository to be taken down by the author at any time, i.e. an author can turn a public github repo private or simply delete it at will.

Whereas most public package registries generally don't allow removal of publicly published packages outside of special circumstances, so the references will be more durable.

discuss

greggman3|5 years ago

fortunately it's trivial to clone a repo and link to the clone

brylie|5 years ago

In a dependency of a dependency of a dependency?

divs1210|5 years ago

The next leftpad debacle is going to be due to a git dependency.