search

askovpen / node-fidonet-mailer-binkp-crypt

GNU General Public License v2.0
4 stars 1 forks source link

Stop using > for dependencies #8

Closed misterbrownlee closed 9 years ago

misterbrownlee commented 9 years ago

Hi -

I'd suggest you stop using > for dependencies. If you're expecting to have a stable library with people upstream depending on you, this is unstable and possibly dangerous. You're basically opening the door for any push from all of those repositories, with no way to check how it will affect anyone using your library.

lazd commented 9 years ago

Using >0.0.0 for your dependency versions is very brittle.

"bindings": ">0.0.0" means:

"take any update to bindings, even if it's a major version that completely breaks backwards compatibility causing my module to not work at all"

See semver for more details about versioning.

misterbrownlee commented 9 years ago

You've released an update that causes a major system dependency change under a 0.0.x release. According to semver, dot releases are 'minor bug fixes' and 'non breaking'.

Bad news for anyone depending on your lib.

arthrp commented 9 years ago

+1. That's like kindergarten level. I guess fix is as easy as replacing "rolling" version with the latest one, to persist the status quo?

lazd commented 9 years ago

Why is this issue closed? The package.json still has completely irresponsible dependency versioning.

askovpen commented 9 years ago

I trust "nan" and "bindings". and I need latest versions in dependency

lazd commented 9 years ago

@askovpen that's not good enough. You need to specify the version or a sane version range. If they release version 2 of either of those libraries and you don't immediately update your module, every module that relies on it breaks, do you understand that?

askovpen commented 9 years ago

currently this module used in only my projects. I see not reason make it.

lazd commented 9 years ago

@askovpen is adm-zip your project? Because you sent a PR to it that broke the entire Yeoman ecosystem and anyone who was using Sauce labs to test their software.

If this is used in only your projects, don't publish it on NPM and don't send PRs to popular projects that add it.

OR, simply do what this PR says and be responsible about your versioning, fix your build to work cross-platform, and move on.

askovpen commented 9 years ago

adm-zip now not use this module

lazd commented 9 years ago

You personally sent a pull request to adm-zip, which was merged. Here's the PR to refresh your memory: https://github.com/cthackers/adm-zip/pull/94

After this broke everything, your code was removed. So yes, adm-zip no longer uses your code.

lazd commented 9 years ago

Please have a look at your NPM statistics. https://www.npmjs.com/package/fidonet-mailer-binkp-crypt

Your module has 150 downloads in the last day. That's a good reason to be responsible about your versioning, I think.

askovpen commented 9 years ago

repeat. I see not reason make it now.