New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Force dependency version #240
Comments
This looks to be expected behaviour. If one dependency depends on version |
How about a flag to force dependency of the base project rather than parent/library dependency? It makes more sense imo to follow developers resolution, instead of using dependency version. How would one deal with this situation? (in my case, I had to make two separate forks to fix this, which I could fix easily if I were allowed to set custom version lock). |
Duplicate or it could be solved if #105 is done. |
@duraki Using a shard with a dependency it isn't supposed to work with, is never a good idea. You can obviously override that by putting whatever version in The solution is to make the other shard's dependencies match up. Not to loosen restrictions on dependency resolution. |
This is expected. Both constraints are strict exact matches: =0.10.0 and =0.11.0 which is impossible to resolve. Both libraries are incompatible and they must solve this. For example by upgrading and releasing a new version to use 0.11.0, or use loose constraints instead of exact matches. |
Nop, loose constraints (~) instead of exact matches does not work since each of those can't resolve which one is "primary" (one provided by third-party library, or one provided by application developer). |
@duraki if the shard's |
@RX14 Strange expected behavior. Any specific reason? It makes absolutely no sense to relay on author or library dependency especially issue-wise. Lets say I find a vulnerability in third-party library used by any shard or app, if a fix was pushed to that lib, my application would stay vulnerable until author of third party library updated the code. Check composer/composer#6126 on how this was solved for unofficial PHP package manager using additional flag. |
They're good example of why library authors MUSN'T use exact matches, that are prone to fail very quickly, and prevent updating to security patches. Libraries should use loose constraints, such as Please bug the library authors to fix their dependencies. |
Today while upgrading my codebase to 0.27.0; I've stumble upon dependency issue; I couldn't lock a library to specific version. The only similar issue is at #12. Related to kemalcr/kemal-session#70.
Example of kemalcr/kemal-csrf:
Example of crecto/crecto-admin#shard.yml:
As seen above, the first snippet is dependency of the library, in this case
kemal-session
. The second snippet is from "any" project andshard.yml
listed.If for some reason we wanted to use latest version of
kemal-session
, we wouldn't be able:Allow developer to run, or force shard lock on base project, rather than parent lib/dep.
The text was updated successfully, but these errors were encountered: