@wesm node package lockfiles improve install times locally and in CI, but are also a security feature. Malicious package-hijacking has become a thing, and the lockfiles ensure we/library consumers can pin the dependencies of our dependencies to strict (or exact) version ranges if required. We already do that for our immediate dependencies, but it's extremely common for node modules to declare their own dependencies as allowing major/minor/patch updates.
[ Full content available at: https://github.com/apache/arrow/pull/2598 ] This message was relayed via gitbox.apache.org for [email protected]
