bitter-ability-3219003/04/2022, 2:34 PM
be mutually exclusive with the new resolve mechanism? The problem it was meant to solve seems to be solved by `enable_resolves`:
Enforces that all transitive dependencies are in the lockfile, whereas constraints allow you to leave off dependencies. This ensures your build is more stable and reduces the risk of supply chain attacks.
hundreds-father-40403/04/2022, 3:53 PM
. Note the difference from direct vs transitive third-party requirements. The new lockfiles will error if any requirement is missing, including transitive.
only errors on missing direct requirements - that's a good thing, as it's more obvious how to fix that and fixing that should theoretically fix missing third-party
bitter-ability-3219003/04/2022, 4:13 PM