Closed NyCodeGHG closed 1 year ago
Hey!
Let me state first that I understand the use case of having the repo contain all files necessary for a reproducible build!
However, for my use case and typical development workflow(s), checking a lockfile into version control is a lot of hassle, given that I explicitly need to update it to benefit from updated dependencies. While having a lockfile really encourages some best practices (being able to vet all dependencies; making attacks via hacked packages much less likely; etc.), it also incentivises me to use outdated dependencies.
I would be happy to check in a lockfile, given that there's low-maintenance and low-noise tooling in place to keep it up-to-date! For example a bot submitting commits that update it.
I'm happy to merge a PR that configures renovate bot to
package.json
but keeps the originally specified range as-is,Done, as of c34f218!
thank you very much :)
@derhuerst do you plan to create a new release containing the lockfile? If not, I'll just apply https://github.com/derhuerst/db-rest/commit/c34f218373af26ce03233849fd73d8b5166c600b as a patch in the nixpkgs package :)
Do you mean a new Git tag? Sure, will push one!
thanks :)
Hi, I'm in the process of packaging db-rest in nixpkgs for usage in traewelling, but I noticed that the repo does not have any lockfile for the node dependencies (e.g. package-lock.json, yarn.lock). Nix requires all dependencies to be locked, in general, committing the lockfile is a best practice which should also be done outside of nix. I could roll my own lockfile, but I would rather have this fixed upstream, so I would like to ask kindly to add a lockfile.