Open ahasselbring opened 1 year ago
package.json isn't pinned. ^
means it can upgrade the patch level
According to the documentation, ^
can also upgrade minor (and ~
only patch level). The question is rather what we want.
If I understand it correctly, then for packages which can be trusted to use semver correctly (do those exist?), ~
would be okay (and ^
not necessary because if new features from a minor release are needed the version should be updated manually), while for packages without a strict version scheme we should pin an exact version?
^
is perfectly normal for node projects, so i think we should keep it. the package-lock says explicitly which versions are known to work
game_controller_app
has its own dependencies, but only because tauri cannot handle workspace dependencies in the latest released version)I usually don't write software in ecosystems where you add dependencies this way, so I have no idea what "the right thing" is.