Review declared dependencies of libraries that SAFE Template depends on

[mattgallagher92]

Triggered by discussion in #553.

We've had a few cases where upgrading packages causes problems because they don't declare the packages that they depend on tightly enough. In this case, Paket (or npm) upgrades packages to versions that it thinks should be compatible (and indeed that the packages themselves declare should work together), but the code fails at runtime because they are in fact incompatible.

We should review the packages that SAFE Template depends on, to check that they declare their dependencies correctly. If there are any problems, raise issues and/or PRs in the appropriate repo.

[martinbryant]

@mattgallagher92 I think we can look at closing this since v5 released

[mattgallagher92]

I don't think so. The gist of the above is to look through the paket.dependencies (or equivalent) of all the libraries that we depend on to make sure that they have specified their dependencies correctly. If they haven't, then future upgrades might end up being a pain.

Essentially we want to make sure that if we depend on package A and it depends on package B, that they haven't said something like package A is compatible with versions X and above of package B if version (X+1) is actually incompatible. Those kinds of mis-specifications caused a lot of pain when trying to upgrade some packages in the past.

[isaacabraham]

It's a tough challenge - we don't necessarily have access to those repos and it's a constantly moving target. My gut feel is that a combination of education around Paket (e.g. paket update --keep-major - this issue doesn't happen as often in NuGet because it's so conservative) and meta-packages could sidestep this issue.

[mattgallagher92]

Yes, I wasn't thinking that we'd keep on top of it forever. It would more be a one-time review and a chance to educate the authors of the libraries that we depend on if they have mis-specified anything.

I think that meta-packages could be a great solution. That way the hassle of making sure that the packages that SAFE relies on work together could be handled once and users wouldn't have to repeat that effort unless they wanted later versions. Happy to close this if/when the meta packages are out.