-
Notifications
You must be signed in to change notification settings - Fork 40.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider modifying dependency management policy for WebJars Locator #31560
Comments
I'm not sure we should do this. There doesn't seem to be any guarantee that |
Just to confirm, your position on guarantees here is basically due to SemVer item 4?
|
Not from my perspective. It could be |
How come, if this is about backwards compatibility guarantees? Minor should by definition be backwards compatible. |
It's not clear to me if WebJars is following semver or not, but just thinking practically it seems to me that breaking changes are likely possible in a minor version bump. Looking at https://mvnrepository.com/artifact/org.webjars/webjars-locator it appears that there aren't really any patch releases. If we follow the logic that |
Alright, I'll try reaching out to WebJars to see if they're willing to adopt SemVer. |
That would be helpful. It looks like the API is pretty stable so I imagine upgrades are most often back compatible. There have been examples in the past where deprecated classes have been removed so it seems there's no guarantee at the moment. |
I've opened webjars/webjars-locator-core#86. |
Hi all! Thanks for all your great support of WebJars in Spring. :) A few thoughts...
|
Thanks, @jamesward. We added dependency management for FWIW, we don't follow strict SemVer ourselves. We aim for patch releases (third digit) to be drop-in replacements, minor releases to be easy to adopt, and major releases to potentially take a bit more effort. We only consume patch releases of third-party dependencies in our patch releases in a best effort to be a drop-in replacement. Perhaps with a policy like this, automation wouldn't be necessary? |
Apparently there are plans to support WebJars resolution in Spring Framework natively: I'll try looking into that next week and potentially contributing something to help speed things up. |
Oh! That would be ideal. Can you share your thoughts back here as you dive in? |
WebJars Locator (that is,
webjars-locator-core
) usesX.Y
versioning format that doesn't quite align with the semver, however it seems that Spring Boot's dependency management policy treats theY
part as minor here as it didn't pick up0.51
that was released about a week before Spring Boot2.7.1
.I'm not really sure what's the policy for managing dependencies with similar versioning format but it seems that as things stand now Spring Boot will only upgrade WebJars Locator once per its own minor release, meaning
2.7.x
will stick with0.50
which isn't ideal. Could you consider doing an exception here?The text was updated successfully, but these errors were encountered: