The author seems to miss the point of version ranges. Yes, specific versions of dependencies get frozen in the lock file at the moment of building. But the only way to determine these specific versions is to run version resolution across the whole tree. The process finds out which specific versions within the ranges can be chosen to satisfy all the version constraints.

This works with minimal coordination between authors of the dependencies. It becomes a big deal when you have several unrelated dependencies, each transitively requiring that libpupa. The chance they converge on the same exact version is slim. The chance a satisfying version can be found within specified ranges is much higher.

Physical things that are built from many parts have the very same limitation: they need to specify tolerances to account for the differences in production, and would be unable to be assembled otherwise.

▲

tonsky 4 days ago | parent [-]

Yeah but version ranges are fiction. Some says: we require libpupa 0.2.0+. Sure you can find a version in that range. But what if it doesn’t work? How can you know that your library will work with all the future libpupa releases in advance?

	▲	wpollock 4 days ago \| parent \| next [-]
		Under semver, any dependency version X.Y.* is supposed to be compatible with any software that was built with version X.Z.* when Y > Z. If not, the author of the dependency has broken semver. "Supposed to" being the operative phrase. This is of little comfort when you need version X.Y for a security fix but your build breaks. Note that Maven is more complex than others here have mentioned. In some cases, Maven compares versions lexically (e.g. version 1.2 is considered newer than version 1.10). Dependency management is indeed hell.
	▲	mystifyingpoi 4 days ago \| parent \| prev \| next [-]
		It reminds me of the whole mess of Angular 2+ upgrades. It was I believe before lockfiles in npm? Literally every new person joining the team had to get the node_modules handed to them from someone else's machine for the project to work, since `npm install` could never install anything working together.
	▲	nine_k 4 days ago \| parent \| prev [-]
		More often than not things are compatible within a major version. Very often things are compatible within a minor version. Not being able to build because one thing depends on libpupa 1.2.34.pre5 and another, on 1.2.35 would be a worse outcome, on average.