📦 Package: Switch dependency versions to ^ ranges #5114
Comments
|
I'm a big 👍 to this. It was different in the pre- Maybe implement this on a dependency by dependency basis when we update them? That way we will test that no breakage will occur |
JoshuaKGoldberg
added
status: accepting prs
|
No comments for a while, and two 👍 votes. Accepting PRs! Let's have a single PR for each dependency edit: group so we can test them separately - and revert separately if needed. |
|
Hi, as far i understand, you want to add a caret symbol after each dependency below (except chokidar) in separate PRs ? Lines 53 to 74 in 472a8be |
|
So, while reading about the caret symbol in package.json, i found this stack overflow comment
So, it should be fine, right ? |
|
@the-sinner that comment is from almost a decade ago. If you look at common npm package usage, it's very rare to have exact pinned versions the way Mocha traditionally has it now. Package lockfiles such as Self-assigning as I can just take this on. 🙂 |
|
IMHO this sounds like a very bad idea. Mocha should not be ok with its 3rd party libraries getting updated whenever their developers release new code. There's not enough manpower to go through all the permutations if something goes wrong; is it reasonable to expect that everyone used NPM Package-lock and semver caret versions iconic: Package.json: Caret vs. pinned versions? Reddit: [AskJS] Do you use exact or range versions for your dependencies? |
|
@plroebuck do you have examples of other widely-used open source projects that still pin their dependencies to exact versions? Examples of packages that do pin their dependencies include: The downside of exact version pinning is that downstream consumers can't deduplicate packages. Non-trivial JS projects get an exponential growth of duplicate packages in their Now that projects have |
|
@plroebuck You don't have to run We can pin our direct dependencies, but not their sub-dependencies, so the guarantee from us pinning is not absolute and can actually harm the efforts of our dependencies to fix stuff from their dependencies.
Also: By not having to release new versions for every small little dependency update we get rid of a lot of noise both in this repo and in those using dependency updaters like Dependabot and Renovate. It lessens the release fatigue and helps ensure that important changes don't get lost in a sea of noisy updates. |
|
Dependencies bumps are split into the following PRs:
|
The first link would seem to disagree with you, unless you're stating the blog's out-of-date.
Don't think this was ever guaranteed. This a tastes-great/less-filling argument though as far as dependencies fixing their stuff.
I would probably agree with the best practice statement... for everyone else. Let all the other packages deduplicate.
Rather disagree that the decrease in noise would be worth the potential increase in manhours tracking third party updates that broke things down needlessly. And less fatigue trying to troubleshoot other people's setups in bug reports was far more worthwhile to me. Anyhow, if it's decided to move forward with this setup, hopefully it doesn't come back to bite you. |
See the npm documentation itself: https://docs.npmjs.com/cli/v10/commands/npm-install#package-lock The only notable difference in this regard is that if the direct dependencies listed in |
|
Released in |
Spinning out of #5090: @orgads noted that the
package.jsonversions ofdependenciesare all pinned to specific versions like4.1.1rather than "caret"^ranges like^4.1.1:mocha/package.json
Lines 53 to 56 in 3345eff
Why is that?
I'm accustomed to
^ranges to help consumers deduplicate packages. E.g. if a consumer's package requirements arechokidar@^3.5.2andchokidar@^3.6.0, us specifyingchokidar@^3.5.3would mean they could all resolve to the same package version.The text was updated successfully, but these errors were encountered: