alt Hacker NewsAlso it doesn't even matter because the real way to use both uv and npm is to switch everything to = and only update manually, rather than trusting non-major updates not to break anything
Replies
galangalalgol • today at 12:02 AM
Isn't there a lock file for that? I'm mostly a rust dev, but I thought I saw a lock file in a uv project I was vibe coding
➕ show 1 reply
chippiewill • today at 12:05 AM
But that's why you have a lockfile?
elyobo • today at 1:09 AM
non major updates in the npm ecosystem are pretty reliable in my experience; my much more limited python experience suggests that semver is much less respected on that side of the fence
➕ show 1 reply
jimbokun • today at 12:54 AM
Or to introduce a major exploit.
The distinction here is on application vs library, IMO. I basically agree that applications, as a default, `==`'ing everything makes sense.
For libraries, having loose bounds might mean that users upgrade and hit issues due to a lack of an upper bound. But given how lightly maintained most projects are, the risk of upper bounds simply getting in the way are higher IMO.
(Put an upper bound if you know of an issue, of course!)
It's a bit tricky though. Django deps in particular tend to want to explicitly check support for newer versions, but the more I think about it the more I ask myself if this is the right strategy