Hacker News new | past | comments | ask | show | jobs | submit login

Not everyone tags releases so you're stuck if you need a fixed version of a dependency.

Or you can tie it to Github and then download a release from their CDN.




You can indeed reference a git repository with a single commit specified, like described in the npm install docs[1]. Not very user friendly, but it works.

Example:

"dependencies": { "myprivatemodule": "git+ssh://git@github.com:user/project.git#commit-hash" }

[1] https://docs.npm.red/cli/install.html


This! plus treating every commit as major version and be done with it.


That's a bit too idealistic; in practice, any commit MAY have a bug which passed quality control. The problem is that it's all down to people's discipline, it's not an enforced standard.

A package manager where every release has to be reviewed, tested and approved before they become generally available would be a pretty interesting case, I know bigger companies who are reluctant to upgrade because of known bugs in the past would be willing to pay for something like that.


I'm pretty sure you can use a commit hash as a version, too.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: