mrcolbyrussell commented on issue #161: URL: https://github.com/apache/incubator-annotator/issues/161#issuecomment-1852237279
> dependencies when required and keeping them out of the repo - using the `package.lock` What's `package.lock` > Artifact repositories like pypy, npmjs or maven central This is not a Python or JVM project, nor is it a broad philosophical discussion. This is about apache/incubator-annotator. > having dependencies in the repo gives incentive to not upgrading them regularly, leading to dependency rot ... > Better update dependencies with every release That doesn't describe what's happening now. Dependencies can change from build to build; today, Developer A can clone the repo at 10:01 AM and run the build while Developer B clones the repo at 10:13 AM and runs the build and they get different results because the build script is not a really a build script—it's entangled with dynamically fetching missing pieces of the source tree, which change upstream from time to time. (Again, this isn't unusual for NPM-based projects, but it being the [norm](https://en.wikipedia.org/wiki/Normalization_of_deviance) is not a substitute for an argument on its own merits.) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@annotator.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
