Throw error if publishing a non-pre package that has pre-dependencies

[fteem]

Took a quick shot at #320 and I'd like some feedback because I think it needs more polishing. Also, should it throw an error or just show a warning? Fire away! 😃

[milmazz]

I added a few comments, hope this helps.

[milmazz]

The exception message should begin with lowercase, wdyt about this: "A stable package release cannot have a pre-release dependency"

[milmazz]

What do you think about: create a stable package release with a pre-release dependency?

[milmazz]

What about other common suffixes as: -rc, -alpha, -beta?. Also, you should consider the following:

A pre-release version number MAY be denoted by appending an arbitrary string immediately following the patch version and a dash. The string MUST be comprised of only alphanumerics plus dash [0-9A-Za-z-]. Pre-release versions satisfy but have a lower precedence than the associated normal version. Precedence SHOULD be determined by lexicographic ASCII sort order. For instance: 1.0.0-alpha1 < 1.0.0-beta1 < 1.0.0-beta2 < 1.0.0-rc1 < 1.0.0.

Source: http://semver.org/spec/v1.0.0.html#semantic-versioning-specification-semver

[ericmj]

This and the same check above should be done like this:

version = Hex.Version.parse!(string)
version.pre != []

[wojtekmach]

Looks pretty good! We still need to correctly handle more complicated version requirements

[wojtekmach]

@fteem @ericmj wdyt about the following refactoring?

defp has_pre_requirements?(meta) do
  meta.requirements
  |> Enum.map(& &1.requirement)
  |> Enum.any?(pre_requirement?/1)
end

[wojtekmach]

version should actually be version_requirement for which there's a Hex.Version.parse_requirement!. There's unfortunately no .pre field on Version.Requirement struct, we'd probably need to extract this information ourselves.

PS Having a function to determine if a version requirement allows prereleases could be a nice addition to Elixir. cc @ericmj

[wojtekmach]

actually, a quick'n'dirty way of determining this is simply doing:

String.contains?(requirement, "-")

[fteem]

Haha, after @milmazz left his comment about matching other version suffixes I though exactly about this approach, but I'd prefer to use Hex's correct way over a hack :)

[ericmj]

We check the pre-release for each component of the requirement so: ~> 1.0-dev and ~> 2.0 does not match 2.1.0-dev. But there is no way of knowing what versions we expect so I think the String.contains? check is our best bet.

[wojtekmach]

please change to ~> 0.0.1-pre

[wojtekmach]

Oh, btw: IMHO we should warn (instead of throwing an error) to give more flexibility to folks but I don't have a strong opinion about it.

[ericmj]

Oh, btw: IMHO we should warn (instead of throwing an error) to give more flexibility to folks but I don't have a strong opinion about it.

I think we should error but allow an override flag. In my experience people don't read the warnings on mix hex.publish :(.

[fteem]

@ericmj I added a --force flag, while the task itself throws an error. I took a dive in Hex.Version and tried to expose a pre field in the struct but I couldn't get it to work, so I used @wojtekmach's hack to detect the version requirements. Let me know your thoughts.

[wojtekmach]

@fteem I've spoken with @ericmj about this issue and we've decided that it would be better to display an error and not allow --force flag in this situation. I think it would be a reasonable assumption that a stable packages can depend only on other stable ones. If someone needs to depend on a pre-release version then that should be a pre-release as well. We could revisit this decision if someone comes up with a use case.

Sorry for going back'n'forth; do you mind updating the PR accordingly?

[michalmuskala]

A use case for depending on pre-releases that happened in the past with ecto, is that you accept versions of the dependency since that beta release, but later stable releases are fine too. SemVer is all about expressing minimal requirements, so it might make sense in that context.

Example: https://hex.pm/packages/ecto/2.0.6 depends on sbroker ~> 1.0-beta

Another case is preparing for a release of a new version of "parent" package by allowing prerelease, e.g ~> 2.0 or ~> 2.1-beta. That one was happening with packages depending on ecto when we were preparing for a stable 2.1 release.

To sum up: I don't agree with such a warning/error.

[josevalim]

@michalmuskala the question is: if your software depends on beta software, can your software be production ready then? I would likely to at least put a blocker on front on this.

In regards to --force, I believe we have discussed it elsewhere but it sets a dangerous precedent. I believe we should have a flag per warning we may emit, otherwise it is easy to use --force for everything and bypass important checks. So this one would be --allow-pre-deps and so on.

[ericmj]

If we add an override it would need to be an override flag specific to this case, for example --allow-pre-deps, like @josevalim says. For now we would like to get a feel for when people need to use pre-deps without their project being a pre-release. Unfortunately the only way is to remove the option completely, if people have valid use-cases we can add the flag.

Another case is preparing for a release of a new version of "parent" package by allowing prerelease, e.g ~> 2.0 or ~> 2.1-beta. That one was happening with packages depending on ecto when we were preparing for a stable 2.1 release.

If users need the pre-release they have the option to add overrides for this.

[ericmj]

We should move this check to build.ex where we have the other package validation: https://github.com/hexpm/hex/blob/master/lib/mix/hex/build.ex#L68

[ericmj]

Since we are working with booleans we can change this to not pre_requirement?(build.meta.version) and has_pre_requirements?(build.meta).

[ericmj]

Since this function raises and we don't care about the return value we can remove the booleans and change the name to check_pre_releases.

[ericmj]

This looks good to me. Travis errors seem unrelated.

[wojtekmach]

Thanks @fteem!