Always add the commit hash to the lock file #242
Labels
Comments
|
#354 did implement this. |
|
Actually taking a second look at the code I'm not 100% confident about this anymore, @waj would you mind to confirm? |
|
@jhass correct, the hash is only stored as version metadata when using git references (branch, tag, commit). I'd like to use a slightly different mechanism so we could still differentiate the intention of the lock, and thus provide better error messages. |
|
But I guess with #354 in place, validating the stored commit still matches the stored git tag or version should be pretty easy to do, would be great if you could keep that in mind :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Now the commit hash isn't used when a version is specified.
If the maintainer of a library rebase or force-push a new commit, and then recreating a tag, we can end up with a untrustworthy/untested dependency without knowing it.
Having a commit hash along with the pinned version prevents this type of ninja changes.
The text was updated successfully, but these errors were encountered: