Open
Description
Currently, almost everywhere we don't specify package versions during mamba install
.
Previous behaviour (I changed it a few years ago), specified every version manually.
But the new version has one major flaw: sometimes a package might get downgraded to a really old version.
This happened twice already:
- Pin min notebook version #2167
- Nodejs has been dowgraded from 22.9.0 to 12.4.0 in latest images #2170
And I added a fix for notebook
and we have to keep it forever, because when a new jupyterlab is released, we might have the same problem.
My proposal - maybe we should pin minimum versions for all the packages?
Upsides:
- we will have less unexpected downgrades (they might still happen during next
mamba install
, if we don't explicitly pin versions after installing) - we still don't need to have PRs every time new package is released, like we did a few years ago (because
mamba
will probably use newer version, if dependencies are resolved) - probably, less resolution to do, and better logs when some dependency is not resolved
- a bit more control when some security update is released - someone can send a PR where he increases the minimum version (now we always expect our packages to eventually become up-to-date)
Downsides:
- well, we'll need to choose which min versions to specify
- there is some work to make our tests work better when we specify package versions
- there will be more PRs when we see now (every time someone wants to increase min version of some package)
- we haven't tested this way and there might be some issues as well
There are other strategies, for example pin major version, but I don't like it from security perspective: pinning min version gives a bit more control.