Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relax dependency pinning from patch to minor level only #153

Merged
merged 1 commit into from
Mar 10, 2025
Merged

Relax dependency pinning from patch to minor level only #153

merged 1 commit into from
Mar 10, 2025

Conversation

alerque
Copy link
Member

@alerque alerque commented Nov 29, 2024

One of the things I've found frustrating trying to update dependencies in my own projects (and 3rd party ones) is keeping the dependency tree free of duplicate copies of the same crate at different pinned versions. This is a notable problem for this crate in particular because it has been a number of deepnesses pinned to exact patch versions and is frequently found in conjunction with other crates that do the same. An example of this is Typst (which uses rustybuzz directly) where it depends on resvg, which in turn depends on RustyBuzz and ttf-parser as well.

I propose relaxing the main manifest to only define dependencies at the minor version level. This will make downstream dependency trees quite a bit easier to manage and allow more frequent version bumps for some projects without bloating the build tree.

In the mean time we still have a tracked lock manifest with exact patch versions for what we have most recently tested and released.

Any feelings on this guys?

This was referenced Nov 29, 2024
Open
Merged
@LaurenzV
Copy link
Collaborator

I thought that even if you specify the minor verison in Cargo.toml, as long as you don't specify the dependency with = the minor version won't be pinned? But if that's not the case, I'm fine with this change.

@alerque
Copy link
Member Author

alerque commented Mar 10, 2025

as long as you don't specify the dependency with = the minor version won't be pinned

True, but the default caret requirements syntax allows semver compatible updates. If you specify 1.2.3 it is allowed to update to any 1.2.x release. If you specify 1.2 then it is allowed to update to any 1.x release. Relaxing our dependencies from patch level updates to minor version level is what this PR is about. This should be fine as long as no dependencies start outputting semver-breaking changes in non-breaking releases. In that case all bets are kind of off anyway, and it could just as easily happen in a patch release too.

@alerque
Copy link
Member Author

alerque commented Mar 10, 2025

Re-reading my initial message it looks like I worded the rational quite poorly, sorry for the confusion. The idea is to allow minor version bumps and only block major versions that are expected to be breaking.

@alerque alerque merged commit bb7e92d into main Mar 10, 2025
4 checks passed
@alerque alerque deleted the relax-deps branch March 10, 2025 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LaurenzV LaurenzV LaurenzV approved these changes

@RazrFalcon RazrFalcon Awaiting requested review from RazrFalcon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alerque @LaurenzV