[erlang-questions] rebar3 dependencies

Tristan Sloughter <>
Wed Mar 23 15:15:39 CET 2016

I was actually thinking of adding that feature for another reason,
supporting multiple repositories.

For this support we plan to simply iterate over the specified
repositories to find the first match of the package. This worried some
that <pkgname>-<vsn> wasn't enough to guarantee it was really the same
package, in which case we'd additionally store the hash in the lock.

  Tristan Sloughter

On Wed, Mar 23, 2016, at 08:17 AM, Motiejus Jakštys wrote:
> On Wed, Mar 23, 2016 at 1:47 PM, Roberto Ostinelli <>
> wrote:
> > On the subject on additional reasons to vendor dependencies:
> > http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/
> This had to happen. :-)
> I just woke up from a long sleep and submitted a feature request to
> rebar3 for sha-locking the packages from hex.pm[1].
> I know there are difficulties to make this happen, but, in the light
> of recent events, maybe enough people will appreciate checksums of
> their dependencies to make this a reality? :-)
> Fred? Tristan?
> Regards,
> Motiejus

More information about the erlang-questions mailing list