Consider modifying dependency management policy for WebJars Locator #31560
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
I'm not sure we should do this. There doesn't seem to be any guarantee that |
philwebb
added
status: declined
|
Just to confirm, your position on guarantees here is basically due to SemVer item 4?
|
|
Not from my perspective. It could be |
|
How come, if this is about backwards compatibility guarantees? Minor should by definition be backwards compatible. |
|
It's not clear to me if WebJars is following semver or not, but just thinking practically it seems to me that breaking changes are likely possible in a minor version bump. Looking at https://mvnrepository.com/artifact/org.webjars/webjars-locator it appears that there aren't really any patch releases. If we follow the logic that |
|
Alright, I'll try reaching out to WebJars to see if they're willing to adopt SemVer. |
|
That would be helpful. It looks like the API is pretty stable so I imagine upgrades are most often back compatible. There have been examples in the past where deprecated classes have been removed so it seems there's no guarantee at the moment. |
|
I've opened webjars/webjars-locator-core#86. |
|
Hi all! Thanks for all your great support of WebJars in Spring. :) A few thoughts...
|
|
Thanks, @jamesward. We added dependency management for FWIW, we don't follow strict SemVer ourselves. We aim for patch releases (third digit) to be drop-in replacements, minor releases to be easy to adopt, and major releases to potentially take a bit more effort. We only consume patch releases of third-party dependencies in our patch releases in a best effort to be a drop-in replacement. Perhaps with a policy like this, automation wouldn't be necessary? |
|
Apparently there are plans to support WebJars resolution in Spring Framework natively: I'll try looking into that next week and potentially contributing something to help speed things up. |
|
Oh! That would be ideal. Can you share your thoughts back here as you dive in? |
WebJars Locator (that is,
webjars-locator-core) usesX.Yversioning format that doesn't quite align with the semver, however it seems that Spring Boot's dependency management policy treats theYpart as minor here as it didn't pick up0.51that was released about a week before Spring Boot2.7.1.I'm not really sure what's the policy for managing dependencies with similar versioning format but it seems that as things stand now Spring Boot will only upgrade WebJars Locator once per its own minor release, meaning
2.7.xwill stick with0.50which isn't ideal. Could you consider doing an exception here?The text was updated successfully, but these errors were encountered: