> If I had specified this repo's git url with a specific version number or sha directly in m...

cxr • today at 5:58 AM • 1 reply • view on HN

> If I had specified this repo's git url with a specific version number or sha directly in my package.json[…] that's not really an end-run around version control at that point

Yes it is. Git doesn't operate based on package.json.

You're still trying to devise a scheme where, instead of Git tracking the source code of what you're building and deploying and/or turning into a release, you're excluding parts of that content from Git's purview. That's doing an end-run around the VCS.

Replies

montroser • today at 10:00 AM

It's hardly an end-run around VCS to specify an external dependency's VCS sha, and resolve that at build time.

But okay, let's go further and use git submodules so that package.json is out of the picture. Even in that case we have the same problem.

Or, let's go even further and vendor the dependency so it is now copied into our source code. Even in that case too, we still have the same problem.

The dependency has been malicious all along, so if we use it in any way the game is already over.

alt Hacker News

Replies