Relax dependency versions to support more targets?

[apjanke]

Should I relax the version dependencies in gemspec, and use a narrower set for testing and certain publishings? That would allow more users to install it as a gem and make use of it,

Considerations

As of 0.9.1 and especially 0.10.1, Ronn-NG's gem dependency versions are defined rather tightly, to versions that I have actually tested on and know work. That seems good for when you're shipping Ronn-NG as an "application" that expects dedicated bundled/vendored dependencies. But not all targets may be able to supply those, especially in combination with dependencies from other Ruby-based programs that define their own gem version range dependencies, in distro environments that supply the dependency gems like nokogiri or mustache as their own distro packages, so they may have a fixed single "current" version.

Relaxation would look like this: set the minimum version for ruby and gem deps as low as I think I can go and have it still work (even with a couple issues), and don't cap the maximum versions or put exclusions unless I have actually seen issues with a that version. Then have a canonical set of dependencies for test runs and "tested well/known good" deployments, the way I use Gemfile.lock now. Would prob want a few different sets of them, for targeting different Ruby versions and/or downstream distros (which may ship only specific versions of dependencies). I don't know if there's a conventional Ruby/gems way of doing that. Maybe maintain a few different Gemfile.lock files in the repo, and switch between them with some symlinking?

Analysis

Downstream Linux packagers are patching gemspec to allow newer mustache versions, because they only ship >=1.0. (Fedora, Arch Linux.) And Debian patches gemspec to relax both mustache and kramdown & nokogiri in both directions.

References

• Related issues
  • RPM build failure on Fedora 39/Rawhide (bc nokogiri libxml "foo:colon" thing) #107

[apjanke]

Did this in b4deb42.

Closing as fixed.

[apjanke]

Well, gem build doesn't like unbounded version ranges. Dunno if I agree. Could cap it at v 0.0 of the next major version. But then that could cause hassles for packagers if I don't update the gemspec quickly when a new dep major version comes out. Probably not a big deal.

gem build ronn-ng.gemspec
WARNING:  open-ended dependency on kramdown (>= 2.1) is not recommended
  if kramdown is semantically versioned, use:
    add_runtime_dependency "kramdown", "~> 2.1"
WARNING:  open-ended dependency on kramdown-parser-gfm (>= 1.0.1) is not recommended
  if kramdown-parser-gfm is semantically versioned, use:
    add_runtime_dependency "kramdown-parser-gfm", "~> 1.0", ">= 1.0.1"
WARNING:  open-ended dependency on mustache (>= 0.7.0) is not recommended
  if mustache is semantically versioned, use:
    add_runtime_dependency "mustache", "~> 0.7", ">= 0.7.0"
WARNING:  open-ended dependency on nokogiri (>= 1.14.3) is not recommended
  if nokogiri is semantically versioned, use:
    add_runtime_dependency "nokogiri", "~> 1.14", ">= 1.14.3"
WARNING:  open-ended dependency on rack (>= 2.2.3, development) is not recommended
  if rack is semantically versioned, use:
    add_development_dependency "rack", "~> 2.2", ">= 2.2.3"
WARNING:  open-ended dependency on rake (>= 13.0.3, development) is not recommended
  if rake is semantically versioned, use:
    add_development_dependency "rake", "~> 13.0", ">= 13.0.3"
WARNING:  open-ended dependency on rubocop (>= 1.25.1, development) is not recommended
  if rubocop is semantically versioned, use:
    add_development_dependency "rubocop", "~> 1.25", ">= 1.25.1"
WARNING:  open-ended dependency on sinatra (>= 2.2.3, development) is not recommended
  if sinatra is semantically versioned, use:
    add_development_dependency "sinatra", "~> 2.2", ">= 2.2.3"
WARNING:  open-ended dependency on test-unit (>= 3.2.7, development) is not recommended
  if test-unit is semantically versioned, use:
    add_development_dependency "test-unit", "~> 3.2", ">= 3.2.7"
WARNING:  See https://guides.rubygems.org/specification-reference/ for help
  Successfully built RubyGem
  Name: ronn-ng
  Version: 0.10.1.pre4
  File: ronn-ng-0.10.1.pre4.gem

[voxik]

Well, gem build doesn't like unbounded version ranges. Dunno if I agree

One option could be to do something like:

s.add_dependency 'kramdown', ['~>2', '>= 2.1']

[apjanke]

s.add_dependency 'kramdown', ['~>2', '>= 2.1']

Yeah, that sounds about like what I want. Didn't know whether you could do major-version-only restrictions on ~> specifiers. Think I'll give that a try.

[apjanke]

s.add_dependency 'kramdown', ['~>2', '>= 2.1']

Well, that looks like what I want to do, conceptually. But it doesn't seem to work.I tried doing that, without the brackets, here at 7c774d6. Didn't like that:

[ronn-ng] $ git log --oneline | head -2
7c774d6 WIP: tighten deps a bit
2b3f6b3 rel: v0.10.1.pre5
[ronn-ng] $ git status
HEAD detached at 7c774d6
nothing to commit, working tree clean
[ronn-ng] $ gem build ronn-ng.gemspec
sh: /Users/janke: is a directory
Invalid gemspec in [ronn-ng.gemspec]: Illformed requirement [""]
ERROR:  Error loading gemspec. Aborting.
[ronn-ng] $ bundle install
sh: /Users/janke: is a directory

[!] There was an error parsing `Gemfile`:
[!] There was an error while loading `ronn-ng.gemspec`: Illformed requirement [""]. Bundler cannot continue.

 #  from /Users/janke/repos/ronn-ng/ronn-ng.gemspec:63
 #  -------------------------------------------
 #    s.add_dependency 'kramdown',              '~> 2', '>= 2.1'
 >    s.add_dependency 'kramdown-parser-gfm',   `~> 1`, '>= 1.0.1'
 #    s.add_dependency 'mustache',              '~> 1'
 #  -------------------------------------------
. Bundler cannot continue.

 #  from /Users/janke/repos/ronn-ng/Gemfile:2
 #  -------------------------------------------
 #  source 'https://rubygems.org'
 >  gemspec
 #  -------------------------------------------
[ronn-ng] $

Weird thing: after I did that, there was a new file in that dir, named "1" and with 0 contents.

[ronn-ng] $ git status
HEAD detached at 7c774d6
Untracked files:
  (use "git add <file>..." to include in what will be committed)
	1

nothing added to commit but untracked files present (use "git add" to track)
[ronn-ng] $ ls -l 1
-rw-r--r--  1 janke  staff  0 Jan  4 08:02 1
[ronn-ng] $ cat 1
[ronn-ng] $

I also tried it without the spaces between the ~> and the number. No love; same error.

So I tried going wiht your "brackets around the version predicates" approach.

  s.extra_rdoc_files = %w[LICENSE.txt AUTHORS]
  s.add_dependency 'kramdown',              ['~> 2', '>= 2.1']
  s.add_dependency 'kramdown-parser-gfm',   [`~> 1`, '>= 1.0.1']
  s.add_dependency 'mustache',              ['~> 1']
  # nokogiri <= 1.14.2 mishandle tag names with ":" in them (see #102)
  s.add_dependency 'nokogiri',              ['~> 1', '>= 1.14.3']
  # rack < 2.2.3 have security vulns
  s.add_development_dependency 'rack',      ['~> 2', '>= 2.2.3']
  s.add_development_dependency 'rake',      ['~> 13', '>= 13.0.3']
  # just a guess based on what I used to use
  s.add_development_dependency 'rubocop',   ['~> 1', '>= 1.25.1']
  s.add_development_dependency 'rubocop-rake', ['~> 0']
  # sinatra < 2.2.3 have security vulns
  s.add_development_dependency 'sinatra',   ['~> 2', '>= 2.2.3']
  s.add_development_dependency 'test-unit', ['~> 3', '>= 3.2.7']

No love.

[ronn-ng] $ date
Thu Jan  4 08:11:12 EST 2024
[ronn-ng] $ git log --oneline | head -2
e692257 WIP: tighten dep vers, but use square brackets
7c774d6 WIP: tighten deps a bit
[ronn-ng] $ git status
On branch WIP/deps-tightify
Your branch is up to date with 'origin/WIP/deps-tightify'.

nothing to commit, working tree clean
[ronn-ng] $ rm -f Gemfile.lock
[ronn-ng] $ bundle install
sh: /Users/janke: is a directory

[!] There was an error parsing `Gemfile`:
[!] There was an error while loading `ronn-ng.gemspec`: Illformed requirement [""]. Bundler cannot continue.

 #  from /Users/janke/repos/ronn-ng/ronn-ng.gemspec:63
 #  -------------------------------------------
 #    s.add_dependency 'kramdown',              ['~> 2', '>= 2.1']
 >    s.add_dependency 'kramdown-parser-gfm',   [`~> 1`, '>= 1.0.1']
 #    s.add_dependency 'mustache',              ['~> 1']
 #  -------------------------------------------
. Bundler cannot continue.

 #  from /Users/janke/repos/ronn-ng/Gemfile:2
 #  -------------------------------------------
 #  source 'https://rubygems.org'
 >  gemspec
 #  -------------------------------------------
[ronn-ng] $ gem build ronn-ng.gemspec
sh: /Users/janke: is a directory
Invalid gemspec in [ronn-ng.gemspec]: Illformed requirement [""]
ERROR:  Error loading gemspec. Aborting.
[ronn-ng] $

[voxik]

Thank you for the precise steps. I think the problem is elsewhere, let me highlight the offending line:

>  >    s.add_dependency 'kramdown-parser-gfm',   `~> 1`, '>= 1.0.1'

Can you spot the issue?

The line should look like this:

s.add_dependency 'kramdown-parser-gfm',   '~> 1', '>= 1.0.1'

IOW the difference is backtick vs single quote. The backticks are trying to execute something like ~> 1 resulting in the error messages such as sh: /Users/janke: is a directory and returning empty string and therefore Illformed requirement [""]

[apjanke]

loooool. That is totally what it was. How in the heck did I manage to do that?

Clearly I've been at it too long today. I'm going to bed to get a good night's sleep; I'll talk to you again tomorrow. :)