top | item 29868066

(no title)

laurowyn | 4 years ago

Pin all you want, if the repo/vendor/maintainer pulls the release then you're not getting access to your dependencies at all.

If anything, this is the reason you use pull-through proxies. Your proxy will hold the version you depend on, regardless of upstream drama. Keep your proxy backed up and you'll be able to use those dependencies until the end of time, or you finally decide to migrate to an alternative.

discuss

maxwell86|4 years ago

> if the repo/vendor/maintainer pulls the release

If your package system allows this switch to another one, like, right now.

NPM, Cargo, etc. don't allow this (they "unlist" versions, but they don't "remove" them, i.e. you can't search for them, but they are still there).

cerved|4 years ago

there are other benefits with proxies but fair point

chmod775|4 years ago

> NPM, Cargo, etc. don't allow this

I'd say the likelihood is about 50% you have a NPM package in your dependencies right now that pulls some binary or whatever from a random S3 bucket during installation.

chmod775|4 years ago

> Pin all you want, if the repo/vendor/maintainer pulls the release then you're not getting access to your dependencies at all.

And that's among the reasons people have started to commit their node_modules folders.

It has the neat side-effect of making people take a closer look at all the crap their pulling in too.

rane|4 years ago

Offline cache with Yarn 2+ protects against this and other network failures when building CI, for example.

junon|4 years ago

> pulls the release then you're not getting access to your dependencies at all.

NPM no longer allows this.

kristjansson|4 years ago

Which is why you pull through a private mirror that doesn’t respect delete?