Determinism in image dependencies #4543
Labels
enhancement
New feature or request
Comments
|
This will bring us closer and closer to the "My Own MegaLinter Flavor" project :) It will even allow "My Own MegaLinter Flavor with the linter versions I want" thing 🥳 |
|
@nvuillam the remaining PRs related to this issue are ready for review and merge. |
|
Once this is done, we should go for the apk/npm/pip dependencies. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now, there are many linters that do not have the version of the dependency to install and instead install the latest version available at that time.
This goes against the determinism, security, traceability, etc... Because if you generate the image right now or in 5 minutes you can get completely different versions of dependencies.
In this series of PRs I am trying to partly solve this problem:
#4528 #4529 #4530 #4531 #4532 #4533 #4534 #4535 #4536 #4537 #4538 #4539 #4540 #4541 #4542
I have focused on:
Still a lot of npm, pip, etc.... This can be done in a next phase after merge all those PRs.
cc @nvuillam @echoix
The text was updated successfully, but these errors were encountered: