Principle:Apache Spark Dependency Pinning
| Knowledge Sources | |
|---|---|
| Domains | Build_System, Security |
| Last Updated | 2026-02-08 22:00 GMT |
Overview
Practice of recording exact dependency versions and integrity hashes in lock files to ensure deterministic, reproducible builds across all environments.
Description
Dependency Pinning is the principle of fixing the complete transitive dependency tree to exact versions with cryptographic integrity verification. Rather than allowing floating version ranges (e.g., ^1.0.0) to resolve differently on each install, lock files record the precise version, resolved registry URL, and SHA-512 integrity hash for every direct and transitive dependency. This prevents version drift between developer machines and CI environments, mitigates supply chain attacks through integrity verification, and ensures reproducibility of builds.
Usage
Apply this principle to all projects with third-party dependencies. Lock files should be committed to version control and used via deterministic install commands (e.g., `npm ci` instead of `npm install`). Update lock files deliberately and review changes during code review.
Theoretical Basis
Dependency pinning follows the reproducible build paradigm:
- Version Locking: Record the exact resolved version for every package in the dependency tree
- Integrity Verification: Store cryptographic hashes (SHA-512) to detect tampering or corruption
- Registry Pinning: Record the resolved URL to protect against registry substitution attacks
- Deterministic Resolution: Lock files eliminate non-determinism from semver range resolution
- Security Overrides: Allow explicit version overrides for known-vulnerable transitive dependencies
Pseudo-code Logic:
# Abstract algorithm description
for dependency in resolve_full_tree(package_json):
lock_entry = {
"version": dependency.exact_version,
"resolved": dependency.registry_url,
"integrity": sha512(dependency.tarball)
}
lockfile.add(lock_entry)