Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jim33442 2 hours ago

Also it doesn't even matter because the real way to use both uv and npm is to switch everything to = and only update manually, rather than trusting non-major updates not to break anything

rtpg an hour ago | parent | next [-]

The distinction here is on application vs library, IMO. I basically agree that applications, as a default, `==`'ing everything makes sense.

For libraries, having loose bounds might mean that users upgrade and hit issues due to a lack of an upper bound. But given how lightly maintained most projects are, the risk of upper bounds simply getting in the way are higher IMO.

(Put an upper bound if you know of an issue, of course!)

It's a bit tricky though. Django deps in particular tend to want to explicitly check support for newer versions, but the more I think about it the more I ask myself if this is the right strategy

elyobo an hour ago | parent | prev | next [-]

non major updates in the npm ecosystem are pretty reliable in my experience; my much more limited python experience suggests that semver is much less respected on that side of the fence

jim33442 36 minutes ago | parent [-]

I've noticed it's better in npm than in python, but still been burned enough times

galangalalgol 2 hours ago | parent | prev | next [-]

Isn't there a lock file for that? I'm mostly a rust dev, but I thought I saw a lock file in a uv project I was vibe coding

jim33442 2 hours ago | parent [-]

The lockfile does more than just pin the versions of your immediate deps, so one might reset it for some other reason. Or you might want to update individual packages without caring about the specific commands for that, so you edit the package file, delete lockfile, reinstall.

galangalalgol 3 minutes ago | parent [-]

But if I use uv sync and the package I want I don't ever need to toss the whole file right. In rust I'd never sign off on a mr that just randomly updated lots of deps with no reason tied to the issue they were resolving

mrtranscendence 2 hours ago | parent | prev | next [-]

That doesn't work for library projects, though.

jim33442 2 hours ago | parent [-]

Yeah that's true. I can't imagine someone making a lib would just install deps without specifying version ranges, but maybe they do.

chippiewill 2 hours ago | parent | prev | next [-]

But that's why you have a lockfile?

jimbokun an hour ago | parent | prev [-]

Or to introduce a major exploit.