Dependencies of modules should not use latest versions

Question

Dependencies of modules should not use latest versions

Closed this issue 2 years ago · 1 comments

Programming languages like Node.js have lots of dependencies. In order to prevent breakages, usually dependencies are defined ('pinned') with a version number. This means that you don't get latest security updates automatically, but you prevent breakages for production apps.

In boms you can define versions of modules. As a consumer you should expect that these versions stay stable and don't pull in later versions of dependencies than they have been tested with.

For example this is not a good practice:

    dependencies:
      - id: namespace
        refs:
          - source: github.com/cloud-native-toolkit/terraform-gitops-namespace.git
            version: '>= 1.0.0'

Answer 1 · 2022-10-18T13:48:53.000Z

This is catch 22 situation. If you pin versions of all submodules, you create a maintenance nightmare every time you want to publish a change to the dependent module. We already have cases where we pin versions of dep, and have automation to update known dependencies, but it is still a chore.

This is also why we’ve started switching common dependencies from modules to resources in a terraform provider, so that the provider (resource) version can be specified independently in a provider block.