Do you prefer to pin dependencies to an exact version or a specified major, latest minor version?

Exact

Normally exact, for private projects none.

Honestly I don't have a strong preference. Pinning to an exact version means that I might have to update manually if a vulnerability comes up. Same major+latest patch might work better for that, but that depends on how the CI/CD is set up (if any).

Always exact.

Build replayability is vital for ci/CD.

Personal preference, don't pin, fix stuff when it breaks (or pin until it's fixed). Releases/deployment should record the exact version they were deployed with (eg build a docker container). Then other people complain I play fast and loose and want more exact pinning. Then we fall multiple major releases behind and run a version with known security issues (yes that's my current job).

Exact, with integrity check where possible.

Dependabot or similar to tell you when there's a new version available so you can make a conscious decision whether to bump it or not.

Latest minor.

I had only one case of a lib which didn’t know what semver is and released breaking changes with minor updates.

It was a lib for a paid service. Fucking amateurs.

@Lensflare

It's actually not unheard of at all, and this coming from JS world where you don't need to care about ABI, and have many other language level features that can soften the blow.

I've had juniors break complete libraries because they would take my C++ library, run their retarded linter through it that insisted on reordering the fields in a class according to some retarded scheme, and end up completely breaking ABI since memory layouts changed.

"But who cares about reordering fields, it's all the same!"

...

I have had libraries lose features if I didn't track exact version. If your build system gets broken and you have to rebuild. Then it really sucks when you don't know what version actually worked. Had this issue with Python libraries. Back when I was still learning how to track that stuff.

edit: also had this issue with C++ libraries from boost.

broad and I delete the lock files

though because I don't manually add versions they get pegged to minor versions

I still .gitignore the lock file tho

and then I get annoyed because I have to go around and find out if things updated at some point, especially if I'm still working on the software and one part of it might be using a newer version than another part of it... aaaa

patch version should theoretically be where you pin, and most package software does that. cuz then you get all the minor updates that shouldn't break anything

though while major version pegging theoretically should never be backwards incompatible, I see patch versions change the API quite often actually. I actually don't mind updating all my syntax everywhere though

my method is:

- i just install stuff

- if there is deps issue, just upgrade or downgrade random things until it works

Works everytime

Plus blaming npm is a great way to threat yourself with a day off once in a while.

Remember overworking is very dangerous for health

I never use latest, it's unstable, use exact frozen dependencies and update here and then

@jestdotty

>> I delete the lock files

>> I get annoyed when shit stops working

I guess npm is judeomasonic, or controlled by the Illuminati.

@CoreFusionX

"judeomasonic, or controlled by the Illuminati"

oh that's just javascript

@jestdotty

do you do things differently just for the sake of avoiding being mainstream?

@CoreFusionX what

no I moved into rust

and you need a workspace to make anything even sizable and every project in a workspace has a Cargo file with its own version... which is where I'm like fuck when I make a new workspace project I sure hope I don't pull in something too new

but apparently the whole workspace system is designed to not do that

still, the other day I had to go download a new cargo tool just so I could figure out if anything is outdated anywhere and update it and a bunch of things were outdated in some of the projects but were modern in others. raaghhh

npm was nice. I used node.js since version 0.10. now npm is a bunch of "donate to me!" messages whenever you install anything though

and when the package installing script config fiasco thing started happening I was against it... like why the fuck is your package.json file like 200 lines for the simplest project wtf. people just putting shit in there just to look good. dumb

Rust's system is more meaningful

@sidthepajfuk no I want them concise and simple so I spend 80% of my time figuring out what people added that's unnecessary so I can cut it out of my life and have a more pleasant experience than everybody else

less is more