Feature #16821
closedgem version notation for "rational version" compatibility
Description
When a gemspec wants to express a version requirement, we typically use the '~> '
notation like this:
spec.add_dependency 'nokogiri', '~> 1.8'
This indicates compatibility following the "rational versioning" as described here: https://github.com/ruby/ruby/blob/master/lib/rubygems/version.rb#L72
(basically the same as Semantic Versioning: https://semver.org/).
Anything >= 1.8 and < 2.0 is compatible.
But suppose a CVE comes out like this one: https://github.com/sparklemotion/nokogiri/issues/1915
Many developers reacted to that CVE by changing the requirement to:
spec.add_dependency 'nokogiri', '~> 1.10.4'
But that isn't correct, as it precludes an upgrade to 1.11. We need a notation that means >= 1.10.4 and < 2.0.
The only way to do that currently is to use a combination of two requirements:
spec.add_dependency 'nokogiri', '>= 1.10.4', '< 2.0'
I propose we add a "rational compatible" option that would do the above. We could choose any prefix to mean that. For example, '=>'
. Then the CVE requirement could be expressed succinctly:
spec.add_dependency 'nokogiri', '=> 1.10.4'
And developers could use this "rational compatible" operator as their default for all gem requirements.
The implementation would involve adding one entry to the OPS
hash in requirement.rb:
"=>" => lambda { |v, r| v >= r && v._segments.first < (r._segments.first.to_i + 1) }
Please LMK if there's interest. I would be happy to submit a Pull Request including tests and documentation.
Updated by nobu (Nobuyoshi Nakada) over 4 years ago
- Status changed from Open to Third Party's Issue
Updated by shyouhei (Shyouhei Urabe) over 4 years ago
Can you report it to rubygems' upstream? It has its own tracker: https://github.com/rubygems/rubygems
Updated by colindkelley (Colin Kelley) over 4 years ago
Thank you for the quick response. Yes, I will do refile there. Sorry for mistakenly filing here.