
Ask HN: What about Version Pinning? - cjfd
Nowadays some languages&#x2F;environments offer the possibility to pin the versions of dependencies. I have a colleague who is religious about the opinion that all versions of dependencies should be pinned. To me this is not obvious at all. I see potential problems with pinning versions but I also don&#x27;t feel I know enough about the pros and cons. Let me list the problems that I see.<p>1) What about the dependencies of dependencies? If dependency A requires C and also dependency B requires C it could be that C is pinned to two different versions. Doesn&#x27;t this cause problems? Do we end up with much duplication in the packed result in which two different versions of C occur? Might we in the end even end up with 10 different versions of C if it is something that is used in a lot of libraries?<p>2) In theory one should be able to install any version of a package as is proclaimed in the version pinning file but in practice this can fail because a particular version might be incompatible with system libraries. E.g., numpy depends on underlying C libraries in the system so we cannot have the same version on every work station. The same problem with GUI libraries.<p>3) There is the danger that the versions of the libraries are not updated very often and that one is programming against old versions that have problems that one would never have encountered using a newer version. Also, if one later finally updates one gets all of the incompatibilities at once instead of occasionally a small incompatibility that is relatively easy to fix.<p>I do see a few uses&#x2F;advantages for version pinning. When one is going to create a release branch it makes lots of sense to pin the versions of everything at that point. Also, one wants to avoid the issue that the build breaks at the same time on multiple workstations because that just wastes everybody&#x27;s time.
======
MobileVet
I am a pinning Zealot. The last thing I want is something changing without my
knowledge. After getting burned once or twice with a ‘Jekyl and Hyde’
situation, you never want to be vulnerable to that again.

Does it mean you have to be on top of monitoring dependency vulnerabilities
and updates? Yes, but github does that for free now.

When I pin something, I know it works, period.

My dependency rules of thumb 1) limit dependencies to only major contributors
that would be impractical to self code (or are tested / maintained enough to
ensure top quality) 2) pin the version

This hasn’t failed me to date.

