1 - Does the "default" pinned version, linked by the Lookup URL, get ever regenerated? For example, will the pinned version associated to the 0.0.6 lookup ever be something different than v6k7RuMoMlN6wnCEe264 (and get the latest dependencies compatible with the semver range)?
2 - If yes, does it get automatically regenerated or does it need user intervention? In https://github.com/skypackjs/skypack-cdn/issues/86 you speak of "regeneration" for deep dependencies, but it's not clear how it's achieved (or if it's achieved by publishing a new version to npm)
3 - If it gets automatically regenerated, what are the conditions under which a regeneration is triggered?
4 - Do you use the npm / yarn lock of the package to decide what dependency versions get in the published pinned package? What if the lock is not present?
Obviously, that library and its React dependency is just an example. I'd just like to know more about how packages are generated, particularly from a reproducibility and security point of view (for example, what if one pinned library's dependencies become unsafe and they're fixed in a newer patch? A fresh npm install would update them, but would they be forever buried in a pinned package? And would that package be forever buried in a lookup URL for one version?)
Hi, I was wondering how pinned packages are regenerated. For example, this module, @hya/micro-state depends on React. If GET the linked pinned version with hash v6k7RuMoMlN6wnCEe264, I see that the React version imported there is
react@v17.0.1, because presumably the pinned version was17.0.1at the time the pinned package was generated.At the time of writing this question, though, the current version of React is
17.0.2, which would satisfy the React version range in the package.The questions are:
1 - Does the "default" pinned version, linked by the Lookup URL, get ever regenerated? For example, will the pinned version associated to the 0.0.6 lookup ever be something different than
v6k7RuMoMlN6wnCEe264(and get the latest dependencies compatible with the semver range)? 2 - If yes, does it get automatically regenerated or does it need user intervention? In https://github.com/skypackjs/skypack-cdn/issues/86 you speak of "regeneration" for deep dependencies, but it's not clear how it's achieved (or if it's achieved by publishing a new version to npm) 3 - If it gets automatically regenerated, what are the conditions under which a regeneration is triggered? 4 - Do you use the npm / yarn lock of the package to decide what dependency versions get in the published pinned package? What if the lock is not present?Obviously, that library and its React dependency is just an example. I'd just like to know more about how packages are generated, particularly from a reproducibility and security point of view (for example, what if one pinned library's dependencies become unsafe and they're fixed in a newer patch? A fresh npm install would update them, but would they be forever buried in a pinned package? And would that package be forever buried in a lookup URL for one version?)