Skip to content

Pin dependencies to non-breaking version ranges #2773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
PCManticore merged 1 commit into from
Feb 28, 2019
Merged

Pin dependencies to non-breaking version ranges #2773

PCManticore merged 1 commit into from
Feb 28, 2019

Conversation

@jab
Copy link
Contributor

@jab jab commented Feb 27, 2019
edited
Loading

Pylint currently specifies unbounded versions of its dependencies. Assuming semver-compliant dependencies, this is dangerous because from one day to the next, your users can end up transitively picking up a breaking version of your dependencies. (This just happened to me via astroid.*)

This pins your dependencies within non-breaking version ranges to hopefully protect your users from breaking this way.

* The fact that astroid's minor version bump was a breaking change goes to show this isn't foolproof, but it's strictly an improvement over the status quo of having no bound whatsoever.

jab
jab commented Feb 27, 2019
View reviewed changes
pylint/__pkginfo__.py
version = string_version

install_requires = ["astroid>=2.2.0", "isort >= 4.2.5", "mccabe"]
install_requires = ["astroid>=2.2.0,<3", "isort>=4.2.5,<5", "mccabe>=0.6,<0.7"]
Copy link
Contributor Author

@jab jab Feb 27, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mccabe is pinned more strictly (to within the same minor version) since it is a major version 0 package, which semver says may make breaking releases between minor versions.

Copy link
Contributor Author

@jab jab Feb 27, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It turns out astroid 2.2.0 was a breaking release over 2.1.0. Pinned to 2.1.0 in #2774.

@coveralls
Copy link

coveralls commented Feb 27, 2019

Coverage Status

Coverage increased (+0.03%) to 89.728% when pulling 65fd34f on jab:patch-1 into dbc1df3 on PyCQA:master.

@PCManticore
Copy link
Contributor

PCManticore commented Feb 28, 2019

Thanks @jab !

@PCManticore PCManticore merged commit 66f36ee into pylint-dev:master Feb 28, 2019
@jab jab deleted the patch-1 branch February 28, 2019 18:07
This was referenced Jul 7, 2020
Closed
Merged
Merged
Merged
@DavidGarfinkle DavidGarfinkle mentioned this pull request Dec 9, 2020
Open
@vorjdux vorjdux mentioned this pull request Nov 4, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jab @coveralls @PCManticore