re: He Commits Vendor! 😱 VIEW POST

FULL DISCUSSION
 

On my personal projects I don't really bother with this.
However, you only have to look at the NPM "leftpad" debacle to see why I ALWAYS do this in professional projects for a company.

I've had multiple times in my career where I need to update an old project that hasn't been touched in years, that has a dependency that is no longer available (easily) online.

 

[...] a dependency that is no longer available (easily) online.

Wow, I never thought that would be a problem!

 
 

Yeah, at the very least, I feel like making sure you commit the dependencies for major versions of your final product is important. I don't feel like we should assume composer.json or package.json will even be enough 5 years from now. Online services come and go at a moment's notice.

code of conduct - report abuse