Project

General

Profile

Feature #16821

gem version notation for "rational version" compatibility

Added by colindkelley (Colin Kelley) 3 months ago. Updated 3 months ago.

Status:
Third Party's Issue
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-core:98087]

Description

When a gemspec wants to express a version requirement, we typically use the '~> ' notation like this:

  spec.add_dependency 'nokogiri', '~> 1.8'

This indicates compatibility following the "rational versioning" as described here: https://github.com/ruby/ruby/blob/master/lib/rubygems/version.rb#L72
(basically the same as Semantic Versioning: https://semver.org/).

Anything >= 1.8 and < 2.0 is compatible.

But suppose a CVE comes out like this one: https://github.com/sparklemotion/nokogiri/issues/1915
Many developers reacted to that CVE by changing the requirement to:

  spec.add_dependency 'nokogiri', '~> 1.10.4'

But that isn't correct, as it precludes an upgrade to 1.11. We need a notation that means >= 1.10.4 and < 2.0.

The only way to do that currently is to use a combination of two requirements:

  spec.add_dependency 'nokogiri', '>= 1.10.4', '< 2.0'

I propose we add a "rational compatible" option that would do the above. We could choose any prefix to mean that. For example, '=>'. Then the CVE requirement could be expressed succinctly:

  spec.add_dependency 'nokogiri', '=> 1.10.4'

And developers could use this "rational compatible" operator as their default for all gem requirements.

The implementation would involve adding one entry to the OPS hash in requirement.rb:

    "=>" =>  lambda { |v, r| v >= r && v._segments.first < (r._segments.first.to_i + 1) }

Please LMK if there's interest. I would be happy to submit a Pull Request including tests and documentation.

#1

Updated by nobu (Nobuyoshi Nakada) 3 months ago

  • Status changed from Open to Third Party's Issue

Updated by shyouhei (Shyouhei Urabe) 3 months ago

Can you report it to rubygems' upstream? It has its own tracker: https://github.com/rubygems/rubygems

Updated by colindkelley (Colin Kelley) 3 months ago

Thank you for the quick response. Yes, I will do refile there. Sorry for mistakenly filing here.

Also available in: Atom PDF