Hey, Not all package maintainers follow semver perfectly. For example, the > upgrade from monolog 1.11.0 -> 1.12.0 had a backwards compatibility > break[1] which would have broken our logging if we had used "~1.11" in > composer.json. >
That is true. Often it's not pragmatic to follow to rules 100%. There'd have been no issue if the range used had been "~1.11.0". What about the libraries part of the MediaWiki project itself? Supposedly we can trust those. If we can't, that seems like a bigger problem to begin with. Normally people do this by putting ranges in the composer.json and > commiting the composer.lock file to pin to a specific version, but that > would prevent people from adding arbitrary dependencies to MW for > extensions due to a dirty composer.lock file ([2], etc.)...so we just > put the specific versions in composer.json instead. > Unfortunately those things are not equivalent. If you use a composer.lock, one can still run composer update. That is not only needed when one wants to get bugfixes. Imagine you want to install a MediaWiki extension that requires version "^1.0.1" of some library while MediaWiki requires "1.0.0". You end up not being able to install the extension, since MediaWiki's composer.json says "no, you can't use that bugfix". That seems like a huge usability fail to me. Am I missing something? If there are bugfixes in libraries that affect MediaWiki, we > should backport library updates just like any other bug fix that is > backported. > I hope this was meant to say "that affect *the people using* MediaWiki". Cheers -- Jeroen De Dauw - http://www.bn2vs.com Software craftsmanship advocate Developer at Wikimedia Germany ~=[,,_,,]:3 _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
