6
sjwsjwsjw
28d

Do you prefer to pin dependencies to an exact version or a specified major, latest minor version?

Comments
  • 4
  • 3
    Normally exact, for private projects none.
  • 3
    Honestly I don't have a strong preference. Pinning to an exact version means that I might have to update manually if a vulnerability comes up. Same major+latest patch might work better for that, but that depends on how the CI/CD is set up (if any).
  • 4
    Always exact.

    Build replayability is vital for ci/CD.
  • 1
    Personal preference, don't pin, fix stuff when it breaks (or pin until it's fixed). Releases/deployment should record the exact version they were deployed with (eg build a docker container). Then other people complain I play fast and loose and want more exact pinning. Then we fall multiple major releases behind and run a version with known security issues (yes that's my current job).
  • 3
    Exact, with integrity check where possible.

    Dependabot or similar to tell you when there's a new version available so you can make a conscious decision whether to bump it or not.
  • 2
    Latest minor.

    I had only one case of a lib which didn’t know what semver is and released breaking changes with minor updates.

    It was a lib for a paid service. Fucking amateurs.
  • 2
    @Lensflare

    It's actually not unheard of at all, and this coming from JS world where you don't need to care about ABI, and have many other language level features that can soften the blow.

    I've had juniors break complete libraries because they would take my C++ library, run their retarded linter through it that insisted on reordering the fields in a class according to some retarded scheme, and end up completely breaking ABI since memory layouts changed.

    "But who cares about reordering fields, it's all the same!"

    ...
  • 1
    my method is:

    - i just install stuff

    - if there is deps issue, just upgrade or downgrade random things until it works

    Works everytime
  • 0
    Plus blaming npm is a great way to threat yourself with a day off once in a while.

    Remember overworking is very dangerous for health
  • 0
    I never use latest, it's unstable, use exact frozen dependencies and update here and then
  • 3
    @jestdotty

    >> I delete the lock files

    >> I get annoyed when shit stops working

    I guess npm is judeomasonic, or controlled by the Illuminati.
  • 0
    @jestdotty

    do you do things differently just for the sake of avoiding being mainstream?
Add Comment