damccorm
commented
4 years ago For security reasons we can't do this from a non-trusted source, see this comment - https://github.com/microsoft/typed-rest-client/issues/90#issuecomment-570293148
Closed JamieMagee closed 4 years ago
damccorm
commented
4 years ago For security reasons we can't do this from a non-trusted source, see this comment - https://github.com/microsoft/typed-rest-client/issues/90#issuecomment-570293148
JamieMagee
commented
4 years ago Okay, but what's the difference between this, and the other dependencies from package.json?. Would it make any difference if this were tagged against a specific git hash?
damccorm
commented
4 years ago Okay, but what's the difference between this, and the other dependencies from package.json?.
Essentially level of comfort with the publisher. We've got an approved list on our side that we're comfortable taking a dependency on.
Would it make any difference if this were tagged against a specific git hash?
Not really - this is mostly a compliance issue (not necessarily even stemming from Microsoft, some of these requirements come from downstream customers)
Instead, add git dependency in package.json