Comment by Already__Taken

3 months ago

We didn't get locking until npm v5 (some memory and googling, could be wrong.) And it took a long time to do everything you'd think you want.

Changing the main command `npm install` after 7 years isn't really "stable". Anyway didn't this replace versions, so locking won't have helped either?

4 comments

Already__Taken

minitech 3 months ago

You can’t replace existing versions on npm. (But probably more important is what @jffry mentioned – yes, lockfiles include hashes.)

jffry 3 months ago

> Anyway didn't this replace versions, so locking won't have helped either?

The lockfile includes a hash of the tarball, doesn't it?

Already__Taken 3 months ago

It does, the answer to my question was no.
thunderfork 3 months ago

[dead]