Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies not locked correctly #104

Closed
dentarg opened this issue Nov 5, 2016 · 10 comments
Closed

Dependencies not locked correctly #104

dentarg opened this issue Nov 5, 2016 · 10 comments
Labels
bug

Comments

@dentarg
Copy link
Collaborator

dentarg commented Nov 5, 2016

b61f962 got it all wrong. Discovered as Addressable 2.5.0 was released yesterday (all Travis build failed).

$ rm Gemfile.lock

~/twingly/ruby/twingly-url master
$ bundle
Fetching gem metadata from https://rubygems.org/........
Fetching version metadata from https://rubygems.org/.
Resolving dependencies...
Using rake 10.5.0
Using coderay 1.1.1
Using diff-lcs 1.2.5
Using idn-ruby 0.1.0
Using method_source 0.8.2
Using slop 3.6.0
Using rspec-support 3.5.0
Using bundler 1.13.3
Using pry 0.10.4
Installing ruby-prof 0.16.2 with native extensions
Installing public_suffix 2.0.3
Installing rspec-core 3.5.4
Using rspec-expectations 3.5.0
Using rspec-mocks 3.5.0
Using rspec 3.5.0
Installing addressable 2.5.0
Using twingly-url 5.0.1 from source at `.`
Bundle complete! 5 Gemfile dependencies, 17 gems now installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.

$ rm Gemfile.lock

~/twingly/ruby/twingly-url master*
$ git d
diff --git a/twingly-url.gemspec b/twingly-url.gemspec
index e5b5f6f..0034d19 100644
--- a/twingly-url.gemspec
+++ b/twingly-url.gemspec
@@ -12,8 +12,8 @@ Gem::Specification.new do |s|
   s.license     = "MIT"
   s.required_ruby_version = "~> 2.2"

-  s.add_dependency "addressable", "~> 2.4", ">= 2.4.0"
-  s.add_dependency "public_suffix", "~> 2.0", ">= 2.0.2"
+  s.add_dependency "addressable", "~> 2.4", "<= 2.4.0"
+  s.add_dependency "public_suffix", "~> 2.0", "<= 2.0.2"
   s.add_dependency "idn-ruby", "~> 0.1"

   s.add_development_dependency "rake", "~> 10"

~/twingly/ruby/twingly-url master*
$ bundle
Fetching gem metadata from https://rubygems.org/........
Fetching version metadata from https://rubygems.org/.
Resolving dependencies...
Using rake 10.5.0
Using addressable 2.4.0
Using coderay 1.1.1
Using diff-lcs 1.2.5
Using idn-ruby 0.1.0
Using method_source 0.8.2
Using slop 3.6.0
Using public_suffix 2.0.2
Using rspec-support 3.5.0
Using ruby-prof 0.16.2
Using bundler 1.13.3
Using pry 0.10.4
Using twingly-url 5.0.1 from source at `.`
Using rspec-core 3.5.4
Using rspec-expectations 3.5.0
Using rspec-mocks 3.5.0
Using rspec 3.5.0
Bundle complete! 5 Gemfile dependencies, 17 gems now installed.
Use `bundle show [gemname]` to see where a bundled gem is installed.
@dentarg dentarg added the bug label Nov 5, 2016
@dentarg dentarg closed this as completed in 5406a57 Nov 5, 2016
dentarg referenced this issue Nov 5, 2016
@dentarg
Be picky about the version of our dependencies
b61f962 
Set the latest version as the minimum (because that's the one that was
used when developing and testing twingly-url), but allow for usage of
later non-major versions, to be able to update the version of these gems
in projects using twingly-url, without requiring a new twingly-url
release.

http://guides.rubygems.org/patterns/

Didn't touch idn-ruby because there's currently only one version, 0.1.0,
released: https://rubygems.org/gems/idn-ruby/versions
@dentarg
Copy link
Collaborator Author

dentarg commented Nov 5, 2016

b61f962 got it all wrong

No... it didn't. I think we wanted any addressable 2.x and any public_suffix 2.x, but minimum addressable 2.4.0 and minimum public_suffix 2.0.2.

We didn't expect addressable 2.5.0 to break anything.

@dentarg
Copy link
Collaborator Author

dentarg commented Nov 5, 2016

We didn't expect addressable 2.5.0 to break anything.

It broke behaviour for certain input.

As we couple our tests to certain versions of addressable (and public_suffix), I think it makes sense to lock twingly-url to specific versions.

@dentarg dentarg reopened this Nov 5, 2016
@dentarg
Copy link
Collaborator Author

dentarg commented Nov 5, 2016

Re-open because what I added:

  s.add_dependency "addressable", "~> 2.4", "<= 2.4.0"
  s.add_dependency "public_suffix", "~> 2.0", "<= 2.0.2"

...doesn't make sense :) (there will likely never be any addressable 2.4.x version, and public_suffix can be locked directly)

@dentarg
Copy link
Collaborator Author

dentarg commented Nov 5, 2016

Suggestion on how we can proceed:

If we don't want to lock to specific versions, we can have #102 add back b61f962 (undo 5406a57), as it fixes the problematic test case.

@walro
Copy link
Contributor

walro commented Nov 5, 2016

I think locking to specific version sounds like the least amount of headache in the future, otherwise we can go with your suggestion with fixing stuff in #102.

@dentarg
Copy link
Collaborator Author

dentarg commented Nov 5, 2016
edited
Loading

I will go ahead and make the change to locking to the specific versions in master, then merge master into #102, then make #102 bump addressable to 2.5.0.

If needed, we can have a discussion about the dependencies before making the next release.

@dentarg dentarg closed this as completed in 9f2bf17 Nov 5, 2016
@dentarg
Copy link
Collaborator Author

dentarg commented Nov 5, 2016

then make #102 bump addressable to 2.5.0

I don't have to do that. That can come later.

@walro
Copy link
Contributor

walro commented Jan 30, 2018

In hindsight, this made it quite troublesome for bundler to be able to update the gem to a newer version as we previously allowed later versions of the dependencies. It's a dance in all dependant projects now.

@dentarg
Copy link
Collaborator Author

dentarg commented Jan 30, 2018

@walro can we make a new release of twingly-url that makes it easier for dependant projects?

@walro
Copy link
Contributor

walro commented Jan 30, 2018
edited
Loading

@walro can we make a new release of twingly-url that makes it easier for dependant projects?

Not really sure how, could possibly help a bit if we lock down to patch versions, like:

  s.add_dependency "addressable", "~> 2.5.0"
  s.add_dependency "public_suffix", "~> 2.0.0"

@walro walro mentioned this issue Feb 9, 2018
Merged
dentarg added a commit that referenced this issue Feb 14, 2018
@dentarg
Allow future patch versions of dependencies
f615167 
Related to #117 and #104 (comment).
@dentarg dentarg mentioned this issue Feb 14, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dentarg @walro