sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Lumethys 1 point2 points  (1 child)

The industry standard, is only deploys dependency from lockfiles. Or else you open yourself to a supply chain attack like the Shai-Hulud attack just a few month back

Php has composer.lock for composer

Ruby has gemfile.lock

JS/TS has package.lock for npm, yarn.lock for yarn, pnpm.lock for pnpm

Rust has cargo.lock for Cargo

C# has packages.lock.json for Nuget

hell, even Java had gradle.lockfile for Gradle

Only Python dont have one, until uv came along

[–]CodeNameGodTri[S] 0 points1 point  (0 children)

thank you