search

browserify / detective

Find all calls to require() no matter how deeply nested using a proper walk of the AST
Other
414 stars 61 forks source link

pin esprima version #14

Closed defunctzombie closed 12 years ago

defunctzombie commented 12 years ago

Would be nice for library users if the packages you depend on were also pinned. Not everyone always follows semver and even a ~0.9.9 could be dangerous as there might be some unforeseen side effect in a new point release :/

medikoo commented 12 years ago

I can confirm that in case of esprima, it's not safe, as it doesn't follow semver rules.

e.g. 0.9.9 is not backwards compatible with 0.9.8 (my package once failed on that and since then I put fixed esprima version in dependencies).

defunctzombie commented 12 years ago

@substack any comment/update on this?

ghost commented 12 years ago

I'll do this only when esprima pushes a change on a point release that actually breaks this project. Maybe contact @ariya about being more careful with versioning instead?

defunctzombie commented 12 years ago

Wouldn't it be a bit late at that point? Any other modules that depend on this will still have the flexible (and now broken) dep and thus be unusable. It is safer to do it sooner rather than when the breakage actually happens (which is too late).

ariya commented 12 years ago

pre 1.0 is never guaranteed to be stable anyway. Expect 1.0.0 in few weeks and after that it will be faithful to semver convention.

defunctzombie commented 12 years ago

Ok, so this statement seems to clearly make the case that the version should be pinned in detective otherwise users of detective will all break when this package releases updates since it is not adhering to any sort of semver currently (not sure why).

@ariya what do you mean by never going to be stable? The code is published and thus people are going to use it :) If they pin to a specific version and do their testing then you can at least be sure those cases continue to work. Sure you might feel free to change the API and bump any part of the version (and that is fine) but that is just more reason that modules that depend on you should pin to a specific version you released so they are not imposing their version requirements upon you.

ariya commented 12 years ago

Precisely what I mean: there is no guarantee of reliable and consistent behavior and/or API between any versions < 1.0.0.

As for pinning the version, ~0.9.9 should work for now cause there won't be any other 0.9.* versions. AFAIK this means it would only match 0.9.9.