Package Manager Usage
Opened this issue · 3 comments
- Do we want to have Cargo.lock and package-lock.json checked in? Rust says that for libraries, versions should not be pinned, but for applications, they should. Does this conflict with the idea of having them in a shared workspace? (at the moment,
game_controller_app
has its own dependencies, but only because tauri cannot handle workspace dependencies in the latest released version) - Are the version specifications in Cargo.toml and package.json reasonable?
I usually don't write software in ecosystems where you add dependencies this way, so I have no idea what "the right thing" is.
package.json isn't pinned. ^
means it can upgrade the patch level
According to the documentation, ^
can also upgrade minor (and ~
only patch level). The question is rather what we want.
If I understand it correctly, then for packages which can be trusted to use semver correctly (do those exist?), ~
would be okay (and ^
not necessary because if new features from a minor release are needed the version should be updated manually), while for packages without a strict version scheme we should pin an exact version?
^
is perfectly normal for node projects, so i think we should keep it. the package-lock says explicitly which versions are known to work