Hey,
Not all package maintainers follow semver perfectly. For example, the
upgrade from monolog 1.11.0 -> 1.12.0 had a backwards compatibility break[1] which would have broken our logging if we had used "~1.11" in composer.json.
That is true. Often it's not pragmatic to follow to rules 100%. There'd have been no issue if the range used had been "~1.11.0". What about the libraries part of the MediaWiki project itself? Supposedly we can trust those. If we can't, that seems like a bigger problem to begin with.
Normally people do this by putting ranges in the composer.json and
commiting the composer.lock file to pin to a specific version, but that would prevent people from adding arbitrary dependencies to MW for extensions due to a dirty composer.lock file ([2], etc.)...so we just put the specific versions in composer.json instead.
Unfortunately those things are not equivalent. If you use a composer.lock, one can still run composer update. That is not only needed when one wants to get bugfixes. Imagine you want to install a MediaWiki extension that requires version "^1.0.1" of some library while MediaWiki requires "1.0.0". You end up not being able to install the extension, since MediaWiki's composer.json says "no, you can't use that bugfix". That seems like a huge usability fail to me. Am I missing something?
If there are bugfixes in libraries that affect MediaWiki, we
should backport library updates just like any other bug fix that is backported.
I hope this was meant to say "that affect *the people using* MediaWiki".
Cheers
-- Jeroen De Dauw - http://www.bn2vs.com Software craftsmanship advocate Developer at Wikimedia Germany ~=[,,_,,]:3