ts_serialize icon indicating copy to clipboard operation
ts_serialize copied to clipboard
verified publisher icon GameBridgeAI

Pin packages and add lockfile for reproducible builds

Open ms1111 opened this issue 3 months ago • 1 comments

Description

To ensure reproducibility and minimize susceptibility to supply chain attacks, use a lock file for dependencies. As suggested in https://github.com/GameBridgeAI/ts_serialize/pull/166#issuecomment-3339625062

Using lockfile for deno v2 only.

For v1, it'd be a different lockfile format, and given it's only a few, pinned, standard packages, the risk of using unpinned transitive dependencies is low, and I figure the v1 build will go away at some point.

Things to look at

  • [ ] Test coverage
  • [ ] Code Style
  • [ ] Documentation (README.md, CHANGELOG.md, etc..)

ms1111 avatar Sep 29 '25 19:09 ms1111

and I figure the v1 build will go away at some point.

yea, we can discuss that deprecation, although I hear v1 is still in use - so we'll need ot be clear about it somehow

hardy613 avatar Sep 30 '25 15:09 hardy613