This repository has been archived by the owner on May 10, 2019. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Specify that we should lock on specific gem versions
We aren't confident that all of our dependencies will follow sensible versioning practices and so will need to do some review of all new versions. Locking them down protects against minor changes creeping in unintentionally and/or exposing ourselves to new security issues this way.
- Loading branch information
b17b34a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jystewart why do you think this is important? Isn't this what Gemfile.lock is for? Gemfile is for semantic (major/minor) dependency not exact locking dependency (major/minor+patch).
PS - stumbled on this in a forked styleguide and wanted to ask you direct!
b17b34a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
b17b34a
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the response! I can see your reasoning, and probably makes sense on GDS but less so on the smaller teams with less reviewers (where just "a file is changed" is the level of review). Then, it's useful to have the distinction between Gemfile.lock being updated on its own (hopefully as a single commit accompanied by "updating versions to the latest allowable") and then Gemfile being updated as well (usually with bringing in a new or updated dependency and maybe in a commit bringing in additional tests/functionality). (of course this does require careful dependency expressing in Gemfile, e.g. gem 'rails', '
> 3.2.7' rather than gem 'rails', '> 3' !.Maybe the real take out is - don't just adopt someone else's styleguide (etc) without considering (a) your own needs and (b) in any case the difference in team size/mandate.