alt Hacker News>> But the end effect was production never pulled from the internet
Having production ever pull from the interwebs just seems bonkers to me. Even if you (for some reason?) want to stay up-to-date on every single dependency release you should be pulling to your own repo with some sort of gated workflow. If you're doing continuous deployment you definitely want to put extra control around your external dependencies, and releasing your product quickly after they change is probably the rare exception.
Replies
actionfromafar • today at 1:48 AM
You can still lock versions, or even hashes. But it still leaves you open to "denial of service" if the "interwebs" acts up or someone unpublishes a package.
> Having production ever pull from the interwebs just seems bonkers to me.
Is it really that big of an issue if your package manager pins dependencies by hash?
I guess, public package registry can be down an brake your pipeline, that's a risk. But I don't see how it introduces any new security problems.