Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API

From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
kamen687428dHonestly I don't have a strong preference. Pinning to an exact version means that I might have to update manually if a vulnerability comes up. Same major+latest patch might work better for that, but that depends on how the CI/CD is set up (if any).
-
atheist1042628dPersonal preference, don't pin, fix stuff when it breaks (or pin until it's fixed). Releases/deployment should record the exact version they were deployed with (eg build a docker container). Then other people complain I play fast and loose and want more exact pinning. Then we fall multiple major releases behind and run a version with known security issues (yes that's my current job).
-
donkulator380728dExact, with integrity check where possible.
Dependabot or similar to tell you when there's a new version available so you can make a conscious decision whether to bump it or not. -
Lensflare1932528dLatest minor.
I had only one case of a lib which didn’t know what semver is and released breaking changes with minor updates.
It was a lib for a paid service. Fucking amateurs. -
CoreFusionX349228d@Lensflare
It's actually not unheard of at all, and this coming from JS world where you don't need to care about ABI, and have many other language level features that can soften the blow.
I've had juniors break complete libraries because they would take my C++ library, run their retarded linter through it that insisted on reordering the fields in a class according to some retarded scheme, and end up completely breaking ABI since memory layouts changed.
"But who cares about reordering fields, it's all the same!"
... -
my method is:
- i just install stuff
- if there is deps issue, just upgrade or downgrade random things until it works
Works everytime -
Plus blaming npm is a great way to threat yourself with a day off once in a while.
Remember overworking is very dangerous for health -
sidthepajfuk17127dI never use latest, it's unstable, use exact frozen dependencies and update here and then
-
CoreFusionX349227d@jestdotty
>> I delete the lock files
>> I get annoyed when shit stops working
I guess npm is judeomasonic, or controlled by the Illuminati. -
sidthepajfuk17127d
Do you prefer to pin dependencies to an exact version or a specified major, latest minor version?
question