17 Jun
2026
17 Jun
'26
8:22 p.m.
On 17 Jun 2026 21:58, Sam Darwin wrote:
fixed known good versions
The nodejs installations use package-lock.json files to lock the versions.
Does this mechanism guarantee fixed versions of the downloaded components of the entire dependency chain? That is, does it prevent a dependency from updating from one Boost build to another without our consent?
At the time of a boost release, a completely new archive isn't generated, suddenly introducing a problem. Rather, a previous snapshot is renamed. If a vulnerability appeared during the lock-down period, we would at least have some chance to react.
Then compromising a snapshot build is just as dangerous as compromising the release.