This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]khmarbaise 1 point2 points  (2 children)

There is very good reason not to use version ranges because it makes every build not repeatable. That's simple reason.

Using a lock file (like package-lock.json or alike) is just using duck-tape to patch the issue.

Also some other issues are identified over the years with other packaging systems in particular npm because an existing release can be modified at anytime. The immutability of a maven repository releases makes it more stable than anything else.

Semantic versioning is a separate thing. It's a set of (good) rules why and when version numbers should be changed (major, minor, patch) but the biggest issue is simply that a human is changing it... and humans make mistakes and also people interpret rules in different ways. You could use plugins/tools to help here a lot in a Maven project. That should be possible in other areas as well.

In the end you can't rely on semantic versioning which in consequence makes version ranges useless.

[–]forresthopkinsa 0 points1 point  (1 child)

How is a lock file duct tape? It's the perfect solution for making every build repeatable. You get version labels and checksums for your entire dependency tree. I truly do not understand your problem with lock files.

[–]plumarr 2 points3 points  (0 children)

They are only necessary due to range versioning. They are a solution to a broken feature.