Secure dependency management
Chris Piker
chris at hoopjump.com
Sun Jan 5 17:18:18 UTC 2025
On Sunday, 5 January 2025 at 06:21:15 UTC, evilrat wrote:
> If your project can't take the risk of losing online
> dependencies you might just want to put and commit them under
> your project's version control system
That's nice and simple, so maybe a good idea, but it does make it
more difficult to get upstream changes when desired. For example
one of my dependencies `dpq2` actually reduced it's dependency
count over the last year, so and I definitely wanted those
changes.
> And in Git for example submodules (other git repos linked to
> your repo) are also a thing, however by default it won't clone
> them without explicit recursive flag, and even you have git
> experience it is somewhat confusing to upgrade them (at least
> for me).
This is the route I'll probably take, i.e. make git submodules
for my dependencies, (there's only 7 of them). Even though
submodules can be a pain, we use them a lot around here so I'm
committed to dealing with their idiosyncrasies.
> So just having `dub.selections.json` in your repository
> pointing to a local (committed dependencies in that same repo)
This is very useful advice, thanks! I didn't know about
dub.selections.json, especially since it's [manual
page](https://dub.pm/dub-guide/selections/) is blank. That could
work well with sub modules.
...now to find out how to use dub.selections.json.
More information about the Digitalmars-d-learn
mailing list