From: colin@... Date: 2020-04-30T04:17:00+00:00 Subject: [ruby-core:98091] [Ruby master Feature#16821] gem version notation for "rational version" compatibility Issue #16821 has been updated by colindkelley (Colin Kelley). Thank you for the quick response. Yes, I will do refile there. Sorry for mistakenly filing here. ---------------------------------------- Feature #16821: gem version notation for "rational version" compatibility https://bugs.ruby-lang.org/issues/16821#change-85327 * Author: colindkelley (Colin Kelley) * Status: Third Party's Issue * Priority: Normal ---------------------------------------- When a gemspec wants to express a version requirement, we typically use the `'~> '` notation like this: ```ruby spec.add_dependency 'nokogiri', '~> 1.8' ``` This indicates compatibility following the "rational versioning" as described here: https://github.com/ruby/ruby/blob/master/lib/rubygems/version.rb#L72 (basically the same as Semantic Versioning: https://semver.org/). Anything >= 1.8 and < 2.0 is compatible. But suppose a CVE comes out like this one: https://github.com/sparklemotion/nokogiri/issues/1915 Many developers reacted to that CVE by changing the requirement to: ```ruby spec.add_dependency 'nokogiri', '~> 1.10.4' ``` But that isn't correct, as it precludes an upgrade to 1.11. We need a notation that means >= 1.10.4 and < 2.0. The only way to do that currently is to use a combination of two requirements: ```ruby spec.add_dependency 'nokogiri', '>= 1.10.4', '< 2.0' ``` I propose we add a "rational compatible" option that would do the above. We could choose any prefix to mean that. For example, `'=>'`. Then the CVE requirement could be expressed succinctly: ```ruby spec.add_dependency 'nokogiri', '=> 1.10.4' ``` And developers could use this "rational compatible" operator as their default for all gem requirements. The implementation would involve adding one entry to the `OPS` hash in requirement.rb: ```ruby "=>" => lambda { |v, r| v >= r && v._segments.first < (r._segments.first.to_i + 1) } ``` Please LMK if there's interest. I would be happy to submit a Pull Request including tests and documentation. -- https://bugs.ruby-lang.org/ Unsubscribe: