Hi,
On 07/24/2015 04:21 PM, Jeroen De Dauw wrote:
Hey all,
To me this is somewhat surprising and not something I've seen often. Why
are bugfix releases excluded from the version ranges?
Not all package maintainers follow semver perfectly. For example, the
upgrade from monolog 1.11.0 -> 1.12.0 had a backwards compatibility
break[1] which would have broken our logging if we had used "~1.11" in
composer.json. Using a pinned version is safer to avoid BC issues and
allows for controlled upgrades where developers, CI, and production are
all using the same version in a predictable manner.
Normally people do this by putting ranges in the composer.json and
commiting the composer.lock file to pin to a specific version, but that
would prevent people from adding arbitrary dependencies to MW for
extensions due to a dirty composer.lock file ([2], etc.)...so we just
put the specific versions in composer.json instead.
And is it really a
good idea considering it causes the users of the latest stable MediaWiki
release to download outdated versions of various libraries?
https://github.com/wikimedia/mediawiki/blob/REL1_25/composer.json#L19-L29
IMO yes. It means that people using git/composer are getting the same
dependencies as the people using the mediawiki/vendor repo and the
tarball. If there are bugfixes in libraries that affect MediaWiki, we
should backport library updates just like any other bug fix that is
backported.
[1]
https://phabricator.wikimedia.org/T89313
[2]
https://phabricator.wikimedia.org/T67188
-- Legoktm