-
|
Just like the title says, could we potentially replace packages.lock.json with transitive pinning in cpm? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
They serve different purposes, but there is some overlap. With CPM and transitive pinning, you can ensure that transitive dependencies will be resolved to a specific version, which is something that lock files also do. However, CPM is designed to have a single place to define all those versions across an entire solution/repository, which lock files don't do. lock files on the other hand, pinning versions so that can't change is one feature. But they also do content hash comparisons, so you get SHA256 "security" that the package the developer who first added the package to the project is the same as what's being used on all other machines, which protects you from a nuget feed hack (or http interception attack), where the nupkg is replaced with a malicious payload. So, if your only use case is transitive package version pinning, then they're interchangeable, but otherwise they're more complementary features. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you for the detailed response. |
Beta Was this translation helpful? Give feedback.
They serve different purposes, but there is some overlap.
With CPM and transitive pinning, you can ensure that transitive dependencies will be resolved to a specific version, which is something that lock files also do. However, CPM is designed to have a single place to define all those versions across an entire solution/repository, which lock files don't do.
lock files on the other hand, pinning versions so that can't change is one feature. But they also do content hash comparisons, so you get SHA256 "security" that the package the developer who first added the package to the project is the same as what's being used on all other machines, which protects you from a nuget feed hack (or http…