-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Allow developers to opt-in for SemVer-compatible dependency resolution #13779
Comments
Given that PackageReferences are also used to determine the dependencies when authoring a package from a project, how would this new feature and syntax interact with producing a package? Would NuGet packages learn about the |
@JonDouglas |
NuGet generates a .nuspec. If you use that syntax, it would imply the dependencies would need to be expressed similarly. NuGet could do this easily akin to:
Yes. If you specify something like General comments I'm curious of what people think about this in general and if other prior art (cargo, yarn, go, etc) do this really well and should be something we consider in this feature request. |
I like the suggestion but a few questions and comments :) I may have missed it, but how would this work with existing syntax for transitive dependencies? Currently most nuget packages probably specify an exact version for their own dependencies. Would opting in to this feature allow current syntax to be interpreted as Additionally, I would just want to re-iterate my comment from #13771, regarding the importance of (potentially?) forcing a lock file to be used together with features like this. Much like |
I don't think opt-in to this feature would change how existing packages with exact versions are handled. If desired, NuGet could provide a means of how package maintainers choose how consumers could/should interpret these. 100%. This direction would require lock files to be a key experience as they are in cargo/npm/go/etc. |
Something to keep in mind when designing this new feature: not all packages are following SemVer. Two examples coming to mind:
|
I don't think that's really a problem as long as it is clearly stated by the package author. Packages author should take this into account when they determine version range of their dependencies, and in a case like this it should be a fixed specific version. At least this is possible with npm. |
I think there should be a an option to update just one transitive dep. I can update for example just one npm transitive to update just specific dep in package lock file. Package.lock.json should stay remain and be able to be updated granularly. |
Just to provide transparency here based on NuGet Insights. This is how well NuGet.org conforms to SemVer:
In other words, SemVer compatibility is ~79% of total package versions at this point of time (September 2024). You can also see that ~20% have a fourth digit. Other reasons might be: non-normalized versions, legacy versioning schemes, pre-release versions in non-standard ways, special characters, or are incomplete. I hope this data helps guide the discussion further on this feature. |
There's an argument that library packages should build against the lowest version, to ensure that they actually do work with that version. I guess you'd just not set this property on libraries / use a conditional in But at least we'd be at parity with the other ecosystems. To cover the "required feature added in a patch version across multiple version branches" thing, can we include multiple version/ranges? Not sure if anywhere else supports that or they just require the whole tree to maintain branches too. ie. Dep 1.0 MyProject 1.0 -> doesn't depend on new feature, works with both 1.0 and 2.0: "^1.0" Dep 1.0.1 // old branch with patch Again a problem here is the tooling doesn't make it easy even to, ie. build against the first and then run tests against both. (and please add another voice indicating that |
On the subject of lock files, please consider addressing #12409 as part of this task (if not earlier). |
Have you considered including an attribute next to Version that'd behave like global.json Might be just me but I see some similarities and the shorthand syntax isn't immediately clear (my 2c of course). |
NuGet Product(s) Involved
NuGet SDK
The Elevator Pitch
NuGet is one of the few modern package managers that does not allow developers to automatically resolve dependencies based on Semantic Versioning (SemVer) compatibility. Many other package managers, such as npm and cargo, automatically install the latest available version within a SemVer-compatible range for both top-level and transitive dependencies.
I propose that NuGet offer developers an option to opt-in to a SemVer-compatible resolution. This would allow:
Benefits:
In addition, new shorthand syntax such as
^X.Y.Z
would help with consistency of other paradigms.Related to: #5553 (But starting a new issue as there are over a hundred comments and this is a clearer definition of what to do)
Expectation:
I can opt-in via some property like
<NuGetResolutionMode>
or<EnableSemVerResolution>
I can use caret syntax ^ for SemVer compatible updates i.e.
<PackageReference Include="Newtonsoft.Json" Version="^12.0.0" />
I can use tilde syntax for minor version locking i.e.
<PackageReference Include="Newtonsoft.Json" Version="~12.0.0" />
I can use the existing range syntax for explicit range >=, <= i.e.
<PackageReference Include="Newtonsoft.Json" Version="[12.0.0, 13.0.0)" />
Behavior Expectation:
Top-level and transitive dependencies should be updated within the allowed SemVer compatible ranges automatically.
Any direct or transitive dependency within the defined SemVer range should be installed or updated to the latest compatible version when running
restore
or other nuget installation operations.If users prefer to use the old behavior for compatibility reasons / exact versioning, they can do so by keeping the mode or disabling the property.
Example Cases:
NuGet
Cargo (comparison)
Please 👍 or 👎 this comment to help us with the direction of this feature & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.
Thank You 🎉
The text was updated successfully, but these errors were encountered: