Skip to content

Pin packages and add lockfile for reproducible builds #167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Pin packages and add lockfile for reproducible builds #167

wants to merge 1 commit into from
+90 −10

Conversation

ms1111
Copy link
Collaborator

@ms1111 ms1111 commented Sep 29, 2025

Description

To ensure reproducibility and minimize susceptibility to supply chain attacks, use a lock file for dependencies. As suggested in #166 (comment)

Using lockfile for deno v2 only.

For v1, it'd be a different lockfile format, and given it's only a few, pinned, standard packages, the risk of using unpinned transitive dependencies is low, and I figure the v1 build will go away at some point.

Things to look at

  • Test coverage
  • Code Style
  • Documentation (README.md, CHANGELOG.md, etc..)

@ms1111
Pin packages and add lockfile for reproducible builds
b61a9b4 
Using lockfile for deno v2 only. For v1, it'd be a different lockfile
format, and given it's only a few, pinned, standard packages, the risk
of using unpinned transitive dependencies is low, and I figure the v1
build will go away at some point.
hardy925
hardy925 approved these changes Sep 30, 2025
View reviewed changes
Copy link
Contributor

@hardy925 hardy925 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks for also updating the packages.

In terms of the lock file I think @ChrisDufourMB did some work / research into it before so it might be useful to get his input as well.

image

hardy613
hardy613 approved these changes Sep 30, 2025
View reviewed changes
Copy link
Collaborator

@hardy613 hardy613 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

c.c @ChrisDufourMB @PizzaCatKing

@hardy613 hardy613 added bug Something isn't working enhancement New feature or request CI Continuous Integration chore labels Sep 30, 2025
@hardy613
Copy link
Collaborator

and I figure the v1 build will go away at some point.

yea, we can discuss that deprecation, although I hear v1 is still in use - so we'll need ot be clear about it somehow

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hardy613 hardy613 hardy613 approved these changes

@ChrisDufourMB ChrisDufourMB Awaiting requested review from ChrisDufourMB ChrisDufourMB is a code owner

+1 more reviewer

@hardy925 hardy925 hardy925 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@PizzaCatKing PizzaCatKing

@ms1111 ms1111

@ChrisDufourMB ChrisDufourMB

Labels

bug Something isn't working chore CI Continuous Integration enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ms1111 @hardy613 @hardy925 @PizzaCatKing @ChrisDufourMB