Pin packages and add lockfile for reproducible builds#167
Open
Pin packages and add lockfile for reproducible builds#167
Conversation
Using lockfile for deno v2 only. For v1, it'd be a different lockfile format, and given it's only a few, pinned, standard packages, the risk of using unpinned transitive dependencies is low, and I figure the v1 build will go away at some point.
hardy925
approved these changes
Sep 30, 2025
Contributor
hardy925
left a comment
hardy925
left a comment
There was a problem hiding this comment.
LGTM
Thanks for also updating the packages.
In terms of the lock file I think @ChrisDufourMB did some work / research into it before so it might be useful to get his input as well.
hardy613
approved these changes
Sep 30, 2025
hardy613
added
bug
Collaborator
yea, we can discuss that deprecation, although I hear v1 is still in use - so we'll need ot be clear about it somehow |
hardy925
approved these changes
Nov 7, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
To ensure reproducibility and minimize susceptibility to supply chain attacks, use a lock file for dependencies. As suggested in #166 (comment)
Using lockfile for deno v2 only.
For v1, it'd be a different lockfile format, and given it's only a few, pinned, standard packages, the risk of using unpinned transitive dependencies is low, and I figure the v1 build will go away at some point.
Things to look at
README.md,CHANGELOG.md, etc..)