On 2015-02-04 23:00, Mike Parker wrote:
Then you specify a specific version of the library as a dependency,
rather than a version range.
No, this is not enough. The tool need to automatically track and lock
the whole dependency graph. Example:
Project A:
"dependencies": {
"b": "1.0.0"
}
Project B:
"dependencies": {
"c": ">=1.0.0"
}
Even though you have locked your direct dependencies to a specific
version doesn't mean that the dependencies have done so. Meaning, you
can get arbitrary versions of indirect dependencies. You can start
adding the indirect dependencies as direct dependencies but that defeats
the point of a package manager.
I have explained this so many times in the Dub forum, why not locking
the whole graph is a really, really bad idea.
I've experienced this myself many times with Ruby before it got Bundler
which fixes this.
--
/Jacob Carlborg
