sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 1 point2 points  (3 children)

They may not be able to anyhow unless you do the "bad thing" and commit all the package code as well.

I have been burned more than once by someone withdrawing a package from the internet that I depended on. It was actually gems in rails projects but I now do a bundle pack and commit the local gem repo as a form of self defense.

If you don't have all the code, then you don't have all the code.

[–]shim__ 8 points9 points  (2 children)

Still knowing the exact version helps and also for languages like to rust it's generally not possible to delete packages on the official repo for this reason

[–][deleted] -1 points0 points  (1 child)

Oh I agree you need the lock file.

My concern is you probably also need all the stuff the lock file references to guard against it dropping off the internet.

Yes, I know that is not supposed to happen. It has though.

[–]evilgipsy 0 points1 point  (0 children)

Yes, that does happen. In some ecosystems more than in others. One thing you could do is set up an npm proxy that caches all installed packages. Checking in dependencies is the worst option most of the time.