fix: pin @mediapipe/* to the versions already in the lockfile#979
Open
Anexus5919 wants to merge 1 commit into
Open
fix: pin @mediapipe/* to the versions already in the lockfile#979Anexus5919 wants to merge 1 commit into
Anexus5919 wants to merge 1 commit into
Conversation
The three @mediapipe dependencies were set to "latest", so every install could resolve a different version, making builds non-deterministic — and the CHANGELOG already claims these are pinned to specific versions. Pin them to the exact versions already resolved in the lockfile (camera_utils 0.3.1675466862, drawing_utils 0.3.1675466124, pose 0.5.1675469404) and update the lockfile's dependency specifiers to match. The resolved tree and integrity hashes are unchanged.
|
@Anexus5919 is attempting to deploy a commit to the somiljain2024-4175's projects Team on Vercel. A member of the Team first needs to authorize it. |
Contributor
Author
|
@Somil450 @diksha78dev Kindly have a review on this pr. Thanks! |
1 similar comment
Contributor
Author
|
@Somil450 @diksha78dev Kindly have a review on this pr. Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📌 Related Issue
Fixes #896
📝 Description
The three
@mediapipe/*dependencies were set to"latest", so every install could resolve a different version of the core pose pipeline (non-deterministic builds), whileCHANGELOG.mdalready claims these are "pinned to specific versions."🔹 What has been changed?
@mediapipe/camera_utils@0.3.1675466862@mediapipe/drawing_utils@0.3.1675466124@mediapipe/pose@0.5.1675469404package-lock.json's root dependency specifiers to match.🔹 Why are these changes needed?
"latest"makes installs non-deterministic for the most critical dependency in the app. Pinning to the versions already in the lockfile removes the non-determinism with no change to the installed code, and makes the changelog claim accurate. The resolved tree and integrity (SRI) hashes are unchanged.🛠️ Type of Change
🧪 Testing
✅ Tests Performed
package.jsonspec == lockfile spec == resolved version, and all are exactx.y.z(nolatest/caret); both files parse as valid JSON.main, so this is a no-op for the installed tree.🔹 Note on automated tests
Done manually rather than via
npm install, so the rest of the lockfile is untouched.🌐 Browsers Tested
Not applicable (dependency/build configuration).
📷 Screenshots / Demo (if applicable)
Not applicable.
📋 Checklist
💬 Additional Notes
Branched from
upstream/main; merges cleanly with the current base (which still pins these to"latest"and resolves the same versions). This is the npm-package pin, distinct from the earlier CDN<script>SRI pinning (#385/#386).