derhuerst
commented
1 year ago Hey!
Let me state first that I understand the use case of having the repo contain all files necessary for a reproducible build!
However, for my use case and typical development workflow(s), checking a lockfile into version control is a lot of hassle, given that I explicitly need to update it to benefit from updated dependencies. While having a lockfile really encourages some best practices (being able to vet all dependencies; making attacks via hacked packages much less likely; etc.), it also incentivises me to use outdated dependencies.
I would be happy to check in a lockfile, given that there's low-maintenance and low-noise tooling in place to keep it up-to-date! For example a bot submitting commits that update it.
NyCodeGHG
Hi, I'm in the process of packaging db-rest in nixpkgs for usage in traewelling, but I noticed that the repo does not have any lockfile for the node dependencies (e.g. package-lock.json, yarn.lock). Nix requires all dependencies to be locked, in general, committing the lockfile is a best practice which should also be done outside of nix. I could roll my own lockfile, but I would rather have this fixed upstream, so I would like to ask kindly to add a lockfile.