So, the real question here is about what our policies should be based on.
Is it more important to never upgrade for fear of breaking changes, or
to upgrade as soon as possible?
We need to reduce the barriers to upgrading node. In this case, it's
pretty easy to change the default behavior, see how it goes, and maybe
change it back. It's unlikely to ruin anyone's day in a significant
way (unlike, say, require("sys") throwing. See that other thread.)
Tim, Sorry, I missed this very good response of yours in my last reply:
On Wed, Jun 27, 2012 at 7:03 PM, Tim Caswell <[email protected]> wrote:
> For example, I published a version of vfs-local that allowed any node
> version >=0.6.0, but then later found out that node itself had a
> nasty security hole that was fixed in 0.6.16. I don't want anyone running
> my code in an older node, so I add the strict flag to my package.json flag
> and leave the open-ended >=0.6.16 range for engine.
Did you unpublish the versions that allowed >=0.6.0? (You probably should.)
> So what happens then
> when someone on 0.6.15 tried to install my library. Will it throw an error,
> or will it load the previously published version that had the >=0.6.0
> constraint and the nasty security hole?
Today, if you didn't remove the older version, then they'll get the
old version of vfs-local. With this change, they'll get the new
version of vfs-local, and see a warning that their node version needs
to be upgraded.
If you did unpublish, then before this change, they'd get an ENOTSUP
(and probably run with --force, and get no warning or error.) With
the change, they'd get the warning.
Seems to me like actually a slightly better outcome in both cases.
--
Job Board: http://jobs.nodejs.org/
Posting guidelines:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
You received this message because you are subscribed to the Google
Groups "nodejs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nodejs?hl=en?hl=en
