breautek commented on PR #957: URL: https://github.com/apache/cordova-plugin-camera/pull/957#issuecomment-4114672974
> I am considering whether we should pin dependencies to an exact version (e.g., 1.18.0) and stop using .+. While using .+ would pull in the latest patch and may include bug fixes, it would also compromise build consistency and reproducibility. Generally speaking in the Google ecosystem (with google's lint tool which is used in Android Studio), they advise against using version ranges and prefer people using exact versions. It is a completely different mantra than NPM which is the exact opposite... <img width="1290" height="87" alt="image" src="https://github.com/user-attachments/assets/e527bc04-4243-4b40-9dbf-c22a3d412b58"; /> Personally I prefer exact version numbers and I use them in my own projects whenever I can... so I wouldn't be against using an exact pin. But I can also understand the argument for it. In my opinion, having varying version ranges makes it more likely for a supply chain attack. Hypothetically... Should a dependency gets hijacked and a malicious version gets pushed, all you need to do to pull in that malicious package is to do another build, as that will pull in any updates that is available automatically. At least with exact version pins, you need to consciously update that package and hopefully by the time you get around in actually updating dependencies, the hijacked package is already dealt within repository managers. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
