> So you can have a pinned library that doesn't pin colors.js. Now you make a change in packages.json (say adding or removing another unrelated package). You will end up with colors being bumped to latest.
What the actual fuck. Who designed this fucking tire fire? Are you kidding me? What even is the point of package-lock.json??
I can't believe this. I actually can't. Now I have to audit all our dependencies, thanks.
NPM is pretty bad at this. It frustrates me to no end every time I have to use it. It manages to do everything exactly wrong, especially in comparison to the other package manager I use daily: Composer. That one does everything right.
Its the same in Python (at least with standard virtual envs)- you can pin libraries, but dependencies of the libs are not pinned, and you can get different versions based on which lib is installed first.
Im told poetry fixes this, but havent checked it myself
What the actual fuck. Who designed this fucking tire fire? Are you kidding me? What even is the point of package-lock.json??
I can't believe this. I actually can't. Now I have to audit all our dependencies, thanks.