A couple of weeks back, I stumbled upon an interesting piece over at Twitter. The crux being not committing lockfiles into the code base; rather odd at the outset.
The rationale does make sense from a different perspective into things. When package.json files with scripts and other requirements change, so do lock files. So far, so very good the situation. Where the unseen enemy creeps up from, is with the latter's content.
Lockfiles, when you observe them, contain, nested dependencies and more important, hashes. A hashed integrity value of the commit/file gets added, to verify sources. Now, where issues crop up is when a diff comes through and such content not being human friendly to read.
As it stands, there aren't many ways to deal with the important concern of integrity and we do live with. Or, in some cases, bat for it all the way with religious fervour.
In this backdrop, found a piece on Hackernews from the Cloudflare blog. This piece on library updates is of interest. For two reasons, from my shoes, the interest gets piqued.
First off, the case when package updates that tend to fix critical issues aren't updated. This, from experience is in part developer laziness of not running periodical audits. Not to forget, cases where a package's update while fixing things, changes its API surface. In some cases, so much so, the break is too high a bandwidth; here's looking at you React(Native). After all, looking at a handful of code bases (including mine) where a npm audit is long pending, does make one wonder.
Second, is how critical issues could receive patches, with minimal developer/maintainer interference. A comment on the Cf post mentions a handful, but concerned at best with Cloudflare's handling. And that opens up a question about developers sticking to sane practices.
Some there, as a matter of fact can be of use at a developer/maintainer's end, except, when it all boils down to discipline. Now that picture in place, as I tend to take up parts of our system, I have a few plans to sort some limbs of this. Beyond dev. discipline, some amount of heavy lifting is of need, and one could hope they fall in place as we move ahead.