-
-
Notifications
You must be signed in to change notification settings - Fork 260
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
contesting allowing breakage in minor versions #331
Comments
Hey @jshttp/express-tc, just want to flag this to make sure we give this as much consideration as it is due. I do believe that "data packages", or whatever you would call this where it ships a JS api and aggregated data from external sources, are not well supported via the controls we as package authors have. It means that we have a choice:
Specifically for the use case outlined above I think that there is a strong case for locking this dep in your package.json @davidmarkclements. No matter the decision we make, if changes can cause a ripple effect in the p2p network then I would say you will be better off locking deps, and I am not sure if that is isolated to this one, although I do see why this one is particularly difficult. |
cc @davidmarkclements: jshttp/mime-types#126 (comment) It is unfortunate that I did not realize it before releasing this, but we are working to cut support for older node versions which is requiring mass major version reving across our packages. This could have landed in that instead, which would have changed the medium term. Unfortunately that ship has sailed, and I think your use case was already broken. But going forward, I think we would totally be open to a new approach that decoupled the semver consideration from the data. If you are open to that I am sure we would love to see something that worked for all of us. |
consider what is done for CLDR unicode-org/rust-discuss#4 |
We decided in last weeks TC meeting to stick with the status quo for now. We have too much on our plates trying to get |
FWIW, both [Aside: Currently
I actually like this idea, but implementing it gets a little tricky.
Why "TBD"? This is how |
Our goal as the newly setup leaderhip group is to not let this happen. I would love if you would be willing to help us with that by being a collaborator on this (and any other related repos you have a stake in).
Well we had a few relatively good options I think, but with our main focus being on releasing |
If you special-case anything in an application it becomes communication overhead, and as soon as the chain of communication breaks (or someone forgets) it's not special-cased anymore and you're unknowingly open to unexpected breakage.
We're using mime-db in https://github.com/holepunchto/pear - an OSS P2P Runtime, a supply chain attack or really any kind of instability in the dependency tree can be existentially threatening because Pear updates are peer-to-peer, if it breaks it's broken on user machines (potentially forever). Therefore maintaining a policy decision that allows breaking changes in minor versions would mean we'd have to fork (which we'd rather not do).
Please reconsider.
For context:
The text was updated successfully, but these errors were encountered: