-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
deps: relaxed and more precise dependency versions, to support more t…
…arget environments Allowing a broader range of versions for dependency gems will let a given ronn-ng version work in more environments, particularly distros that have fixed versions of the dependency gems in their packages, and systems running older Ruby versions. Added comments to the gemspec to explain why the version restrictions are there. I left them all open-ended on the upper bound because I'm not aware of any dep versions that break things, and I'll just assume back-compatibility until I know otherwise for specific gems. The nokogiri minimum version is 1.14.3, because that's required for the behavior we want for HTML tag names with ":" in them. See #102. I updated Gemfile.lock instead of removing it, but I no longer know if that's significant or good in deployment. Right now I'm mostly considering it an indication of the exact versions I tested it most heavily with. I don't expect downstream packagers to use or respect Gemfile.lock.
- Loading branch information
Showing
4 changed files
with
56 additions
and
30 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Ronn-NG Dependency Notes | ||
|
||
Ronn-NG tries to allow a wide range of dependency versions in its gemspec, and be strict and even specific about its gem dependencies in deployment and testing scenarios. This will hopefully let users install it as a gem in a wide variety of environments, and let distro packagers fit it in with different fixed versions of packaged dependencies, but be correct-er in testing and deployment in app or package form. | ||
|
||
## Ruby version | ||
|
||
I only develop and test on Ruby 2.6 and newer, and those are the only versions supported. Will probably be requiring >= 2.7 soon as of 2023. | ||
|
||
Chose Ruby 2.6 as the minimum because those are the ones that come with bundler included, and I don't want to bother installing it there. (The default `gem install bundler` doesn't work; a version-specific `gem install bundler -v 2.3.26` might, but use of it tends to break due to bugs in early gem and bundler versions, and I don't want to deal with that.) | ||
|
||
I mostly test on Ruby 2.7 or 3.x, because that's waht to seems to be in common use and distro shipping in 2023. | ||
|
||
## Gem versions | ||
|
||
I'm currently keeping the gem dependency versions in the gemspec as loose as I can, while everything still works (tests pass and I don't notice anything breaking), and keeping the min version high enough to pick up security fixes that I know about (mostly through Dependabot on GitHub). Specific reasons for those versions are noted in comments in the gemspec. | ||
|
||
If you need to install it in an environment that only supplies older gems, edit the gemspec to relax the minimum version, and maybe it'll work? But it will be unsupported. | ||
|
||
### nokogiri | ||
|
||
We require nokogiri >= [1.14.3](https://github.com/sparklemotion/nokogiri/releases/tag/v1.14.3) because earlier versions have undesirable handling of tag names with ":" characters in them (which look like namespaces). I don't know if that's a bug or not; I assume so because it's a material behavior change in a patch version increment. That nokogiri version bumped its vendored libxml2 from 2.10.3 to 2.10.4. See [issue #102 "libxml 2.10+ compatibility for dot. and foo:colon angle-bracket syntax"](https://github.com/apjanke/ronn-ng/issues/102). Earlier libxml2 versions also have security vulnerabilities; that's why the [nokogiri 1.14.3 release notes](https://github.com/sparklemotion/nokogiri/releases/tag/v1.14.3) say they upgraded. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters