Skip to content

Add Package.resolved and dependabot.yml #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add Package.resolved and dependabot.yml #147

wants to merge 2 commits into from

Conversation

incertum
Copy link
Contributor

Add Package.resolved and dependabot.yml

@incertum
new: commit Package.resolved
e471726 
Signed-off-by: Melissa Kilby <[email protected]>
@incertum
new: add dependabot.yml
02e592a 
Signed-off-by: Melissa Kilby <[email protected]>
@incertum incertum added the 🔨 semver/patch No public API change. label Sep 26, 2025
FranzBusch
FranzBusch requested changes Oct 6, 2025
View reviewed changes
Copy link
Contributor

@FranzBusch FranzBusch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that we should go ahead with this PR. The recommendation right now is to not commit the resolved file in libraries since the file has no impact on users of the package. Furthermore, libraries should avoid bumping the min versions unless there is a need for it e.g. new APIs available in a dependency.

@incertum
Copy link
Contributor Author

incertum commented Oct 7, 2025

I don't think that we should go ahead with this PR. The recommendation right now is to not commit the resolved file in libraries since the file has no impact on users of the package. Furthermore, libraries should avoid bumping the min versions unless there is a need for it e.g. new APIs available in a dependency.

There is a bigger discussion ongoing around this. Let's move this PR to draft state until there are new features or a new decision / outcome in this regard.

@incertum incertum marked this pull request as draft October 7, 2025 22:32
@ktoso
Copy link
Collaborator

ktoso commented Oct 7, 2025

Yeah, it is not useful to have a Package.resolved in libraries.

Package.resolved isn't a real lock file; it doesn't matter at all in libraries either since consumer will just resolve anyway.

@incertum
Copy link
Contributor Author

incertum commented Oct 7, 2025

Yeah, it is not useful to have a Package.resolved in libraries.

Package.resolved isn't a real lock file; it doesn't matter at all in libraries either since consumer will just resolve anyway.

ACK. Hoping this changes in the future and there will be new features allowing honoring a library’s real lock file (aligning with security best practices :)).

ktoso
ktoso requested changes Oct 7, 2025
View reviewed changes
Copy link
Collaborator

@ktoso ktoso left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should do this in libraries

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ktoso ktoso ktoso requested changes

@FranzBusch FranzBusch FranzBusch requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

🔨 semver/patch No public API change.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@incertum @ktoso @FranzBusch