Conversation
| "devDependencies": { | ||
| "husky": "^9.0.11", | ||
| "jest": "^29.7.0", | ||
| "knip": "6.2.0", | ||
| "lint-staged": "^15.2.7", | ||
| "prettier": "^3.3.3" | ||
| "prettier": "^3.3.3", | ||
| "vitest": "4.1.2" |
There was a problem hiding this comment.
Nitpick: I would consider using exact match for every dev dependency listed here
There was a problem hiding this comment.
Done via latest commit. Why do you recommend exact matches only for dev dependencies and not for regular dependencies though? And how about GitHub workflow inclusions (uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2)?
There was a problem hiding this comment.
Why do you recommend exact matches only for dev dependencies and not for regular dependencies though?
I pin devDependencies so I always know the exact versions in use without needing to run commands like pnpm ls.
I don’t pin dependencies so that, if a security issue arises, consumers don’t have to wait for a new release with updated pinned versions.
And how about GitHub workflow inclusions
Recently, I’ve noticed more repositories using hashes instead of tags.
The reason is that a hash is immutable, whereas a tag is not, making hashes a more secure option.
2 participants
Aligning some aspects of the general setup with https://github.com/stats-organization/github-stats-extended so that the projects are more similar to each other and it's easier to work on them in parallel.