Hi, On 07/24/2015 04:21 PM, Jeroen De Dauw wrote: > Hey all, > > To me this is somewhat surprising and not something I've seen often. Why > are bugfix releases excluded from the version ranges?
Not all package maintainers follow semver perfectly. For example, the upgrade from monolog 1.11.0 -> 1.12.0 had a backwards compatibility break[1] which would have broken our logging if we had used "~1.11" in composer.json. Using a pinned version is safer to avoid BC issues and allows for controlled upgrades where developers, CI, and production are all using the same version in a predictable manner. Normally people do this by putting ranges in the composer.json and commiting the composer.lock file to pin to a specific version, but that would prevent people from adding arbitrary dependencies to MW for extensions due to a dirty composer.lock file ([2], etc.)...so we just put the specific versions in composer.json instead. > And is it really a > good idea considering it causes the users of the latest stable MediaWiki > release to download outdated versions of various libraries? > https://github.com/wikimedia/mediawiki/blob/REL1_25/composer.json#L19-L29 IMO yes. It means that people using git/composer are getting the same dependencies as the people using the mediawiki/vendor repo and the tarball. If there are bugfixes in libraries that affect MediaWiki, we should backport library updates just like any other bug fix that is backported. [1] https://phabricator.wikimedia.org/T89313 [2] https://phabricator.wikimedia.org/T67188 -- Legoktm _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
