32
You can fork a package, but can you own it?
(event-driven.io)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 11 Jun 2026
32 points (100.0% liked)
Programming
27417 readers
41 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 3 years ago
MODERATORS
The following section about SBOMs covers what I'm about to say, but I want to add to it. Most (all?) major ecosystems include lockfiles that let you control exact dependency versions and look at them. Always be explicit when updating the lockfile.
I also want to add that Nix gives you the ability to do this at the tooling level. While I'm not going to say everyone should go install Nix, do seriously consider that or devcontainers or some other kind of solution to ensure that you don't get hit by tools you rely on becoming compromised suddenly (PSA: if you use AUR, seriously read that thread). As long as you can pin a specific version of each tool you use, whether by creating a shared image, by pinning a nixpkgs commit, or whatever, you shouldn't have anything suddenly change on you.