Suggestion: ban fancy semver ranges

[hdgarrood]

I have felt for quite a long time that semver ranges like ^x.y.z or ~x.y.z are an antipattern, because they obscure what the actual bounds are, and they encourage you to tighten lower bounds prematurely. For instance, lots of JS tools push you towards using a caret range with whatever version you happened to be using when you were writing the code. Of course, it's a reasonable default at first if you're adding a dependency at version x.y.z to declare the bounds as >=x.y.z <(x+1).0.0 (note: this is what ^x.y.z means as long as x >= 1), but if you later make a change to support newer versions of that dependency, you often won't need to tighten the lower bound at the same time. That is, if I've written ^x.y.z and I want to allow my package to be used with a new version (x+1).0.0 of the same dependency, caret ranges encourage me to just write ^(x+1).0.0, which means that my package can no longer be used with any x.* version. Instead, if I was forced to write >=x.y.z <(x+1).0.0 to begin with, it's easy to see how to relax the upper bound without tightening the lower bound.

To be explicit, my proposal is that the only acceptable version range operators are >, >=, <, <=, and ==.

Note that the caret or tilde ranges aren't part of the semver spec; as far as I'm aware, they were first introduced by the node semver package. Elm does this already (and in fact goes a little further), by requiring that all version ranges are of the form a.b.c <= v < d.e.f.

[f-f]

Great point. I would totally go as far as Elm does. I have only one question about this: how should we import packages from Bower? Should we convert the caret range to the explicit range?

[hdgarrood]

I think so, yes. I guess the alternative is allowing existing packages to use carets and at some point disallowing new uploads from using them? I don’t have a strong preference but I feel like since we are generating the manifest files for existing versions in an automated manner anyway, we might as well convert them during the initial import?

[f-f]

Yes, I agree that in this case we have the option of converting everything, so we should just go for that.
However there is always the questions of: do we remove packages/versions if we cannot convert them? (in this initial import)

E.g. while trying to mass-convert all Bower packages the first time I found out that ~20 packages were just unreachable (I assume because the owners just took the repos down). In this case taking the decision to just remove them from the index is straightforward, but there are trickier cases, e.g. when it comes to the name-constraints (I didn't check yet if any package would fail the constraints we defined in #3)

Intuitively I'd be fine just removing non-compliant stuff that we cannot convert in any way, but I guess it's good to keep somewhere a list of "things that were removed due to $reason"

[hdgarrood]

I may be wrong, but I think it should always be possible to rewrite any version range which bower understands in a format which would be acceptable according to this proposal.

[thomashoneyman]

What about attempting to adjust a package to the simple bounds, and dropping it / opening a PR to update it if that can’t be done? I’m happy to take on opening PRs to packages that have to be updated so their version bounds work.

[f-f]

I may be wrong, but I think it should always be possible to rewrite any version range which bower understands in a format which would be acceptable according to this proposal.

@hdgarrood I agree with that, in my previous comment I am asking what we should do in the general case.

[f-f]

@thomashoneyman the problem in this case is that published versions are considered immutable, so there's no "update" operation that can be performed, we have to say either "yes" or "no".

For future packages/versions we can just have CI reject packages if the ranges don't fit our constraints, so there shouldn't be the need for us to do updates to repos

[hdgarrood]

Ah right, I see. I don't mind losing a few, but if we find we are rejecting lots of packages which are still in use, then we should probably reconsider. Perhaps if need be we could apply more relaxed rules to package versions which existed before the initial import?

[f-f]

Update: I'm looking at this and trying to implement something using the semver package.

It looks like:

• it's not possible to automatically convert a SemVer caret range to a simple range like the one specified here as "maximum version" of a caret range doesn't seem to be a defined concept, see [QUESTION] Why doesn't semver.maxVersion exist? npm/node-semver#337
• we cannot get a "parse tree" or even answer the question "what kind of range is this?", so we'd have to have a custom parser to detect "simple ranges" or something like that

At this point I am not sure anymore if it's worth adding this constraint at all vs just issuing a recommendation client-side in the publishing flow. This is because in the latter case we don't have to be accurate since it's just a recommendation, while in the CI here we need to be 100% correct so that everything can be automated

[hdgarrood]

Issuing a recommendation client-side sounds fine to me! However I don't think it's true that it's impossible to convert a caret range to a simple >=a.b.c <d.e.f range. The node-semver package readme does give some examples, even:

https://github.com/npm/node-semver#caret-ranges-123-025-004

• ^1.2.3 := >=1.2.3 <2.0.0-0
• ^0.2.3 := >=0.2.3 <0.3.0-0
• ^0.0.3 := >=0.0.3 <0.0.4-0

I suspect the question being asked in the issue you linked, which is impossible to answer, is "given a caret range, what's the maximum version that is within the range?" This is not defined because caret ranges always have a strict upper bound such as <2.0.0, i.e. an upper bound that uses < rather than <=. If you have a strict upper bound, say <2.0.0, you can always add one to the patch version, i.e. 1.x.y -> 1.x.(y+1), so there's no maximum version which satisfies that bound. That's fine though - we don't need to answer the question of "what is the maximum version within the range," because we can just sidestep the issue by providing a strict upper bound.

[f-f]

In #140 we found out that indeed it's possible to convert to "simple ranges" without implementing it ourselves, e.g. see an example conversion from the tests:
https://github.com/purescript/registry/blob/3d091b10d63350e8d374612e0eabbf825394cb40/ci/test/Main.purs#L140

Currently we convert the ranges when importing from Bower, I'll leave this issue open to track the fact that we should error out if the ranges in the Manifest are not simple.

[thomashoneyman]

There is a widespread convention of depending on any version of a package, up to the next major version (or up to the next minor version).

I worry about these simple ranges being problematic in that folks who would usually write ^1.0.0 or ^1.3.4 will start to write >1.0.0 <2.0.0, which can opt them in to pre-releases (ie. that range will include 2.0.0-rc.1 -- Halogen's release candidates come to mind -- but not the actual 2.0.0 release).

They really need to write >1.0.0 <2.0.0-0, but this isn't obvious and I'm going to predict that most people won't do it. I suggest that we take one of these courses of action:

1. We support < <= == >= >, as @hdgarrood suggested, and we also support ^ because of how widely it's used
2. We only support simple ranges, but we implicitly treat the end version as the actual end version (ie. < 2.0.0 is considered to actually mean < 2.0.0-0).
3. We don't allow you to publish versions with build metadata / release candidate information to the registry. If you want to use one of those packages you'll have to point to it directly, not via the registry.

Elm inspired the original discussion here, and I'm fairly sure they don't even allow things like build or pre-release information to be in their version ranges, which means they can do < 2.0.0 with no worries -- it really will restrict to the 1.x.x version series.

[f-f]

I think option (3) is not viable in the first place, because we are importing many packages that have pre-release versions.
I don't have an opinion yet on what's the best course of action here, but I wonder: do we have to do anything in the first place about this, i.e. is it such a big issue?

There are two scenarios where this can happen:

1. a package with overly lax bounds is published
2. an application has overly lax bounds on a package

For case (1) we could simply restrict the bounds (either with authors publishing a new version, or with Trustees fixing the bounds for old packages), and for case (2) the application developers can just fix the bounds locally as soon as they notice the breakage.