How do we want to approach updating modules? #104
Comments
|
My understanding is that this should not be done if there's no particular need to avoid unexpected effects. |
|
Agreed. Moreover, to insure that even running versus |
|
I disagree that we should not npm update projects to the latest versions of apostrophe, apostrophe-blog, etc. routinely when updating them. Once we start making exceptions to that we are going to get into places where people are working around crap forever and not seeing the apostrophe update process as something that's for them and their projects, IMHO. And "I want that fix but I'm afraid of the 20 minor versions I skipped and what they might do." We have strong practices around avoiding bc breaks and regressions in the core modules. And we can get stricter about that if we have to, I'd prefer that to projects being "pinned" ever, possibly excepting very tetchy clients with very risky needs. My 2 cents. |
|
That make sense. I'd be more concerned about updating modules that we don't maintain. If modules are well maintained and take care of specifying dependency versions where necessary it's not a problem. Can we rely on that? |
|
That's a good question. There's a tension between the risk of instability due to poor choices on the part of third party maintainers, and the risk of bugs and security holes due to not paying any mind to updates from third party maintainers. I think security holes are the bigger danger (I'm never, ever, ever going to try to track them on my own across hundreds of modules, nobody is). Which is why I think we should be updating third party modules via the usual semver setup, and pushing our CI plans for client projects forward ASAP. |
Post-launch, if updating a module isn't necessary to fix a particular issue or add a new feature, when, if ever, should we
npm update?The text was updated successfully, but these errors were encountered: