Package Manager Usage - Githubissues

RoboCup-SPL / GameController3

This is the official GameController used in the RoboCup Standard Platform League

MIT License

16 stars 8 forks source link

Package Manager Usage #13

Open ahasselbring opened 1 year ago

ahasselbring commented 1 year ago

[x] Do we want to have Cargo.lock and package-lock.json checked in? Rust says that for libraries, versions should not be pinned, but for applications, they should. Does this conflict with the idea of having them in a shared workspace? (at the moment, game_controller_app has its own dependencies, but only because tauri cannot handle workspace dependencies in the latest released version)
[ ] Are the version specifications in Cargo.toml and package.json reasonable?

I usually don't write software in ecosystems where you add dependencies this way, so I have no idea what "the right thing" is.

jayenashar commented 1 year ago

package.json isn't pinned. ^ means it can upgrade the patch level

ahasselbring commented 1 year ago

According to the documentation, ^ can also upgrade minor (and ~ only patch level). The question is rather what we want.

If I understand it correctly, then for packages which can be trusted to use semver correctly (do those exist?), ~ would be okay (and ^ not necessary because if new features from a minor release are needed the version should be updated manually), while for packages without a strict version scheme we should pin an exact version?

jayenashar commented 1 year ago

^ is perfectly normal for node projects, so i think we should keep it. the package-lock says explicitly which versions are known to work