Is there a reason why dependencies are pinned?

[gbmarc1]

Is there a reason why dependencies are pinned to a specific version? Could it be relaxed to major versions? Assuming almost every project uses semver.

[ncilfone]

Right now it's handled by dependabot, which will update and pin versions and then run the test suite on those pinned versions. We could re-tool the tests to not use pinned versions but then the combinatorics matrix might get pretty messy with gt/lt constraints. Might be easier to just tone done the frequency of dep updates for those that abuse semver (boto libraries are very guilty of this)... Thoughts?

Pretty easy to relax the constraints with the ignore options if that's the path to go:

https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates#ignore

[gbmarc1]

I have some package (connexion) in my environment that requires pyYAML<=5.4.1<6.0. I think spock-config is also compatible with pyYaml<6.0 but since the version is pinned I have this conflict that could be avoided.

I don't have any suggestion on how to solve this. ML libraries have often so much libraries that I more than often end up with conflicts. It's a on-going question that I can not answer.

[gbmarc1]

An idea... We could we use something like tilde and caret requirements? https://python-poetry.org/docs/dependency-specification/#tilde-requirements https://python-poetry.org/docs/dependency-specification/#caret-requirements

[gbmarc1]

boto libs could simply be pinned