Dependency Version Pinning
Discussions center on best practices for managing package dependencies, debating exact version pinning, lockfiles, and risks of automatic updates or loose versioning across package managers like npm, Cargo, pip, and Go modules.
Activity Over Time
Top Contributors
Keywords
Sample Comments
If you depend on certain versions of a package you have bigger problems.
But the versions are locked right ? Similar to what package-lock.json etc does. So whats the issue ?
Not recording exact dependency versions seems like the right way to stop those PRs from happening.
Because versioning & dependencies are a nightmare that way
How is the dependency handling situation today? Not being able to refer to specific versions seems like a deal breaker for serious production applications.
Dependencies need bugfixes and you may even want to use new features, so locking is not a permanent solution.
a dependency change is no longer an author's problem when they have pinned down versions.
Crazy how many projects apparently depended on this library without pinning their versions.
Don't you get a bunch of incompatible packages when you restrict to specific fixed version numbers without indication? I guess this is only helpful if you don't plan to reuse your code in another project.
The problem is not that, the problem is depending on unreleased versions, instead of simply depending on the version that was written when u wrote your code.a Git submodule like approach would be much better