Closed misterbrownlee closed 9 years ago
Using >0.0.0 for your dependency versions is very brittle.
"bindings": ">0.0.0"
means:
"take any update to
bindings
, even if it's a major version that completely breaks backwards compatibility causing my module to not work at all"
See semver for more details about versioning.
You've released an update that causes a major system dependency change under a 0.0.x release. According to semver, dot releases are 'minor bug fixes' and 'non breaking'.
Bad news for anyone depending on your lib.
+1. That's like kindergarten level. I guess fix is as easy as replacing "rolling" version with the latest one, to persist the status quo?
Why is this issue closed? The package.json
still has completely irresponsible dependency versioning.
I trust "nan" and "bindings". and I need latest versions in dependency
@askovpen that's not good enough. You need to specify the version or a sane version range. If they release version 2 of either of those libraries and you don't immediately update your module, every module that relies on it breaks, do you understand that?
currently this module used in only my projects. I see not reason make it.
@askovpen is adm-zip
your project? Because you sent a PR to it that broke the entire Yeoman ecosystem and anyone who was using Sauce labs to test their software.
If this is used in only your projects, don't publish it on NPM and don't send PRs to popular projects that add it.
OR, simply do what this PR says and be responsible about your versioning, fix your build to work cross-platform, and move on.
adm-zip now not use this module
You personally sent a pull request to adm-zip
, which was merged. Here's the PR to refresh your memory: https://github.com/cthackers/adm-zip/pull/94
After this broke everything, your code was removed. So yes, adm-zip
no longer uses your code.
Please have a look at your NPM statistics. https://www.npmjs.com/package/fidonet-mailer-binkp-crypt
Your module has 150 downloads in the last day. That's a good reason to be responsible about your versioning, I think.
repeat. I see not reason make it now.
Hi -
I'd suggest you stop using > for dependencies. If you're expecting to have a stable library with people upstream depending on you, this is unstable and possibly dangerous. You're basically opening the door for any push from all of those repositories, with no way to check how it will affect anyone using your library.