Hacker News new | ask | show | jobs
by ryangibb 106 days ago
> Presumably you mean compatible rather than incompatible there?

I've edited for clarity, I mean "because packages with different major versions should have incompatible APIs anyway."

> While you can specify upper bounds for the depdnency ranges, that is extremely uncommon in practice.

In https://github.com/rust-lang/crates.io-index I count just under 7000 upper bounds on dependency ranges that aren't just semver in disguise (e.g. not ">=1.0.0, <2.0.0"):

    $ rg --no-filename -o '"req":"[^"]*<[^"]*"' . | grep -Ev '< ?=? ?([0-9]+(\.0){0,2}|0\.[0-9]+(\.0)?)"' | wc -l
    6727
So it's definitely used. One person's non-breaking change is another's breaking change https://xkcd.com/1172/
1 comments
VorpalWay 105 days ago
How many of those are between a crate and it's proc macro crate? E.g. serde and serde_derive. I believe that is a common use case for exact dependencies, as they are really the same crate but have to be split due to how proc-macros work. But that is getting down in the weeds of peculiarites of how rustc works.
link
ryangibb 105 days ago
As far as I can tell, checking for proc macro crates by suffix, only one: ergol -> ergol_proc_macro with >=0.0.1, <0.0.2.

I didn't include singular dependencies in this grep (=) just upper bounds (< and <=).

Some rough scripting is telling me there's over 600,000 singular dependencies of which just under 10,000 are proc-macro pairs.

link
VorpalWay 102 days ago
That is much more than I expected. I guess people are bad at actually following semver fairly often.
link