Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Security would be a useful benefit/section to add to this post:
A.) If maintainers of your dependencies edited an existing version.
B.) If your dependencies did not pin their dependencies.
For instance, if you installed vue-cli in May of last year from NPM with --prefer-offline (basically the same as checking in your node_modules), you were fine. But because vue-cli doesn't pin its dependencies ("node-ipc"), installing fresh/online would create WITH-LOVE-FROM-AMERICA.txt on your desktop [1], which was at the very least a scare, but for some, very problematic.
[1] https://github.com/vuejs/vue-cli/issues/7054
There is also this - https://github.com/microsoft/p4vfs and several other solutions - just need to dig around.
Nix (https://nix.dev/) can provide all of this, although in a smarter way than just through dumping everything in the VCS. Some projects use it already to provide a reproducible development environment and if done right a clean build is just a `nix-build` away.
vcpkg may expire assets after 1.5 years, so achieve long-term reproducibility you will need to cache your dependencies.... Somewhere. Not sure what the expected solution is.
https://github.com/microsoft/vcpkg/pull/30546#issuecomment-1...
Related posts
- GitHub - microsoft/vcpkg: C++ Library Manager for Windows, Linux, and MacOS
- How to install libraries for c++ on a Linux CentOS supercomputer where I'm not a sudoer
- Does anyone has a idea to read out dependencies out of c/cpp directories to create .sbom files?
- Why does Arch Linux have a vulkan-devel group, but does not package the LunarG Vulkan SDK?
- CMake + vcpkg copy DLLs to executable dir