On 10/30/23 20:58, Stephen J. Turnbull wrote:
Jered Floyd writes:
I've noticed the django-allauth ecosystem seems to be somewhat prone to breaking changes. I'm sure this discussion has happened before, but it may be worth pinning "known good" dependency versions for django-mailman
That's a double-edged sword, of course, because you will not get security upgrades etc either.
I agree, but past few days I've been thinking if we should do _something_ about it so that after a while 'pip install' doesn't just start failing for folks forcing us to do another release to pin to a version that we support.
In the past, we've had to do that a couple of times for various packages and maybe it doesn't make sense for to pin to a very specific version, but maybe we can provide a requirements.txt with "~=" compatible release requirements so it doesn't stop newer bugfix/security releases from being installed.
There will still be issues with packages that don't follow semver or unknown bugs (which was the case IIUC in allauth) that creep up, but it can still prevent us from intentional compat changes made by bumping major version.
Thoughts?
-- thanks, Abhilash Raj (maxking)