achanda / ipnetwork

A library to work with CIDRs in rust
Apache License 2.0
121 stars 38 forks source link

Why does this library auto-bump patch versions in dependencies? #201

Closed faern closed 1 month ago

faern commented 1 month ago

What is the motivation behind commits like 7e0519cd352793b17143349df0d29675b16d4fbe ?

There is no point in libraries always pointing to the latest version of dependencies. If they aim to do that it will just create infinite churn for every library to always bump all their deps.

What this does is just telling downstream application developers that "this library needs at least version 1.0.200 of serde". While in reality it probably works with waaay older 1.0 releases. This constrains application developers in an unnecessary way.

I'm not sure if there is a written API/library guideline about this for Rust. But in my opinion, the sane thing to do is to spec your semver dependencies to the lowest version that your library work with. Keeping the range of possible versions as large as possible. Downstream application developers can then narrow it if they need for various reasons, such as needing a new feature, or wanting to avoid a certain CVE etc.

achanda commented 1 month ago

Makes sense, I have disabled renovate.

faern commented 1 month ago

Awesome :) Thank you