Hi,
On 07/24/2015 04:21 PM, Jeroen De Dauw wrote:
Hey all,
To me this is somewhat surprising and not something I've seen often. Why are bugfix releases excluded from the version ranges?
Not all package maintainers follow semver perfectly. For example, the upgrade from monolog 1.11.0 -> 1.12.0 had a backwards compatibility break[1] which would have broken our logging if we had used "~1.11" in composer.json. Using a pinned version is safer to avoid BC issues and allows for controlled upgrades where developers, CI, and production are all using the same version in a predictable manner.
Normally people do this by putting ranges in the composer.json and commiting the composer.lock file to pin to a specific version, but that would prevent people from adding arbitrary dependencies to MW for extensions due to a dirty composer.lock file ([2], etc.)...so we just put the specific versions in composer.json instead.
And is it really a good idea considering it causes the users of the latest stable MediaWiki release to download outdated versions of various libraries? https://github.com/wikimedia/mediawiki/blob/REL1_25/composer.json#L19-L29
IMO yes. It means that people using git/composer are getting the same dependencies as the people using the mediawiki/vendor repo and the tarball. If there are bugfixes in libraries that affect MediaWiki, we should backport library updates just like any other bug fix that is backported.
[1] https://phabricator.wikimedia.org/T89313 [2] https://phabricator.wikimedia.org/T67188
-- Legoktm