[Backport Request] Backport #6142 to 9.2 #6726
Comments
|
Why would debian be pinned to a minor line? The whole point of semver is that you can upgrade within a major with abandon. |
|
Asking them to go from 9.2.0 to 9.4.2 is a bigger ask than to bump a patch version with a very simple diff to verify. I am not sure about their policies on version bumping either, but I figured other people could potentially benefit from having small patch versions that rectify their issue if they run into it. Since the bugfix is fixing an issue introduced in 9.0.0 it makes sense to offer backport patches to the minor versions since then. I totally understand not wanting to do it because of priorities. It is a very niche edge case. But this issue is just to explicitly document npm's stance on backporting this bugfix. |
|
What exactly would they be "verifying"? |
|
The source code diff. Debian package manager maintainers verify the source code before building. |
|
Right, but how are debian package manager maintainers quaified to review the source code of software they don't maintain? What exactly would they find that's a problem? |
|
That discussion is off topic. Feel free to bring up that issue with the Debian team, and maybe they will eventually decide that npm is trustworthy and blindly publish npm@latest after every release. (Which, tbh, would help out a lot of people) |
|
It's on topic in the sense that it's the only reason this request is coming in :-) (to be clear, i'm not part of the npm team, so it's not my decision - i'm just trying to understand the justification) |
|
My position is "just update to latest" and tbh I just use nvm anyways. But there are people that only install software via package managers for their distro and one of them reported build issues that spawned from this bug. I posted a workaround on our README to include --no-install-links in npm install just in case (those not affected won't have any change in behavior) But it would be nice if they could have the issue fixed. Bringing the issue to Debian with a "You must bump to at least 9.4.2, here's the diff" is a bigger ask than "here's a single line diff to bump to 9.2.1" Which is why I ask. An answer of "no" is acceptable, and I will link this issue when asking them to bump to 9.4.2. |
|
This might be out of date by now, but npm won't be doing backports to minor release lines. We only do backports to previous major lines and those are on a case-by-case basis. |
|
I think this should be excluded from that policy since the fix in 9.4.2 was a breaking change released as a bugfix. Anyone who uses 9.0, 9.1, 9.2, and 9.3 in an environment where bumping npm is a long process have to just deal with the bug. I would understand the "it was unintentionally breaking, so let's fix it in a patch" logic, but it assumes that absolutely no one uses minor-pinned versions. "let's fix it in a patch" should mean "a patch to each minor version ever since the last major bump". Obviously, the best change moving forward is to treat "reverting unintentional breaking changes as a patch" to mean "a patch to every minor version since the last major version". That said, a workaround exists in this specific case, and I have no interest in trying to push my way into another project's politics... So just take this as a suggestion for future consideration. |
|
Anyone pinning to a minor is signing up for missing out on tons of security and bug fixes. Debian choosing an ill-advised course of action shouldn't force npm's maintainers to incur extra burden. |
The extra burden was self-incurred by not making a clearly and self-admittedly breaking change a major semver bump. I am muting this issue now, take the suggestion or leave it. Have a great rest of your day. |
The bug fixed in #6142 is present in versions 9.0.0 until 9.4.1 (fix released in 9.4.2)
Debian stable uses 9.2.0, which has the bug present, so I would like to discuss backporting to 9.2 and releasing 9.2.1.
Just for consistency, also releasing a backport for 9.3 would be good as well.
backporting to 9.1 and 9.0 might also be appropriate, since the issue first appeared in v9.0.0
The text was updated successfully, but these errors were encountered: