-
-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always add the commit hash to the lock file #242
Comments
#354 did implement this. |
Actually taking a second look at the code I'm not 100% confident about this anymore, @waj would you mind to confirm? |
@jhass correct, the hash is only stored as version metadata when using git references (branch, tag, commit). I'd like to use a slightly different mechanism so we could still differentiate the intention of the lock, and thus provide better error messages. |
But I guess with #354 in place, validating the stored commit still matches the stored git tag or version should be pretty easy to do, would be great if you could keep that in mind :) |
Now the commit hash isn't used when a version is specified.
If the maintainer of a library rebase or force-push a new commit, and then recreating a tag, we can end up with a untrustworthy/untested dependency without knowing it.
Having a commit hash along with the pinned version prevents this type of ninja changes.
The text was updated successfully, but these errors were encountered: