Hey,
Not all package maintainers follow semver perfectly. For example, the
upgrade from monolog 1.11.0 -> 1.12.0 had a
backwards compatibility
break[1] which would have broken our logging if we had used "~1.11" in
composer.json.
That is true. Often it's not pragmatic to follow to rules 100%. There'd
have been no issue if the range used had been "~1.11.0". What about the
libraries part of the MediaWiki project itself? Supposedly we can trust
those. If we can't, that seems like a bigger problem to begin with.
Normally people do this by putting ranges in the composer.json and
commiting the composer.lock file to pin to a specific
version, but that
would prevent people from adding arbitrary dependencies to MW for
extensions due to a dirty composer.lock file ([2], etc.)...so we just
put the specific versions in composer.json instead.
Unfortunately those things are not equivalent. If you use a composer.lock,
one can still run composer update. That is not only needed when one wants
to get bugfixes. Imagine you want to install a MediaWiki extension that
requires version "^1.0.1" of some library while MediaWiki requires
"1.0.0".
You end up not being able to install the extension, since MediaWiki's
composer.json says "no, you can't use that bugfix". That seems like a huge
usability fail to me. Am I missing something?
If there are bugfixes in libraries that affect MediaWiki, we
should backport library updates just like any other
bug fix that is
backported.
I hope this was meant to say "that affect *the people using* MediaWiki".
Cheers
--
Jeroen De Dauw -
http://www.bn2vs.com
Software craftsmanship advocate
Developer at Wikimedia Germany
~=[,,_,,]:3