erikwright
commented
7 years ago We had a discussion about this and decided not to do it on Data Bang. The thinking is that you are essentially guaranteeing that you are not running with the same versions of your libraries that you will run with in production.
If you don't pin them, you will find out very quickly if you do not successfully build with the latest official release of one of your dependencies.
If you do pin them, you will wait until you debug an issue in production. The bug can lurk for arbitrary amounts of time and consume arbitrary amounts of effort to diagnose. If it causes a unit-test to fail, you would know right away and would also be able to find a proximate cause (since you could look for recent package upgrades, for example).
Let's pin our
extras_requiresfordev(aka development) to specific versions to prevent prevent spontaneous build failures if these dependencies change functionality.