Feature #16821


gem version notation for "rational version" compatibility

Added by colindkelley (Colin Kelley) over 2 years ago. Updated over 2 years ago.

Third Party's Issue
Target version:


When a gemspec wants to express a version requirement, we typically use the '~> ' notation like this:

  spec.add_dependency 'nokogiri', '~> 1.8'

This indicates compatibility following the "rational versioning" as described here:
(basically the same as Semantic Versioning:

Anything >= 1.8 and < 2.0 is compatible.

But suppose a CVE comes out like this one:
Many developers reacted to that CVE by changing the requirement to:

  spec.add_dependency 'nokogiri', '~> 1.10.4'

But that isn't correct, as it precludes an upgrade to 1.11. We need a notation that means >= 1.10.4 and < 2.0.

The only way to do that currently is to use a combination of two requirements:

  spec.add_dependency 'nokogiri', '>= 1.10.4', '< 2.0'

I propose we add a "rational compatible" option that would do the above. We could choose any prefix to mean that. For example, '=>'. Then the CVE requirement could be expressed succinctly:

  spec.add_dependency 'nokogiri', '=> 1.10.4'

And developers could use this "rational compatible" operator as their default for all gem requirements.

The implementation would involve adding one entry to the OPS hash in requirement.rb:

    "=>" =>  lambda { |v, r| v >= r && v._segments.first < (r._segments.first.to_i + 1) }

Please LMK if there's interest. I would be happy to submit a Pull Request including tests and documentation.

Actions #1

Updated by nobu (Nobuyoshi Nakada) over 2 years ago

  • Status changed from Open to Third Party's Issue

Updated by shyouhei (Shyouhei Urabe) over 2 years ago

Can you report it to rubygems' upstream? It has its own tracker:

Updated by colindkelley (Colin Kelley) over 2 years ago

Thank you for the quick response. Yes, I will do refile there. Sorry for mistakenly filing here.


Also available in: Atom PDF