chore: deps update to minor versions and fix did-key upstream dep #48
Conversation
zeeshanlakhani
force-pushed
the
zl/fix-deps
branch
3 times, most recently
from
badba91
to
db89215
Compare
|
Fixes #49 |
There was a problem hiding this comment.
@zeeshanlakhani thanks for this change. Can you share the rationale for restricting the version ranges this much?
At a glance, it seems unnecessary to me; as a library, we should be liberal with version ranges so that applications can restrict versions as it suits their use case.
Oh, I don't think we're being too restrictive. We're essentially letting patch versions float, but you don't want feature/major versions to float because they may contain breaking changes, and sometimes minor versions can cause issues as well. With this at least, if dependabot gets a new minor, we can run it through CI. |
|
I think I agree @zeeshanlakhani but in semantic versioning, |
|
@cdata my bad, I was texting over mobile at the doctor's office. Yes, this lets patches float, where as some libs, e.g. tokio/tracing/etc, even hardline on the patch. |
zeeshanlakhani
force-pushed
the
zl/fix-deps
branch
from
db89215
to
36516be
Compare
zeeshanlakhani
changed the title
|
FWIW - Rust ecosystem has whole lot of SemVer exemption footguns to be aware of - Raised #51 to perhaps clarify policy. |
There was a problem hiding this comment.
This looks fine. Thanks for the insights re: semver in cargo.
As a general rule, we should stay liberal with regards to version ranges. If there are specific dependencies that are known to be "bad" semver citizens, we can deal with those on a case-by-case basis. Similarly, if there are dependencies that are highly sensitive (like crypto primitives), let's consider those candidates for more cautious version range strategies. In all special cases, we should document the rationale with comments.
Thanks for making this update!
Let our deps float on patch versions and fix did-key upstream dep issues.