DanConwayDev's avatar
DanConwayDev _@danconwaydev.com 1 year ago
There are (at least) two quite different problems here: 1) how do I decide which version of a dependency version I should use? Many projects trust package management tools (yarn, cargo, etc) and centralised repositories (crates.io, etc) to serve them the most suitable hashed state via commands like `yarn update` and `cargo update`. To what extent are these states signed by the dependency's maintainers and to what extent are these signatures validated on the developers machine across language and package management ecosystems? I'd be interested to see some analysis of this. 2) how can I download a specific version of a dependencies without relying on a centralised entity (github)
↑ Parent

Replies (1)

frphank's avatar
frphank 1 year ago
(1) is a good question. Form the time being I'm assuming we have already determined a hash. So I'm trying to solve (2). Mind you (2) happens much more often and in an automated fashion, (1) can be manual for the time being.
1 replies ↓