Given the discussion on DataFrames.jl tagging/dependencies cycle we recently had on Slack I have the following general question.
Currently Pkg manager is strict with respect to ensuring consistency of versions of dependencies. This is great for production. Also I think it is great for core packages that have a guaranteed long term active maintenance.
However, I see a potential problem of the following nature (this has probably been discussed - if yes could someone just point me to the discussion - thank you; I could not find it unfortunately). As the package ecosystem grows and matures with every year we are more and more likely to have the following situation:
we have some great package A that has a dependency B. Package A has not been maintained (e.g. it does what it should in a good way, no changes are needed, the creator focuses efforts on some other things). But it depends on a certain version of package B that after some time got outdated and has some breaking change, so that the current version of B is not supported by A.
Currently if you need - due to some other packages - to have B in its latest version you are not allowed to have A installed at the same time (package manager will report an error trying to install it). I feel (but maybe I am wrong - in such a situation please correct me) - that in the long run this situation might become problematic as such cases will become more and more frequent (I am talking here about 5 to 10 years from now).
What are the possible solutions (I know their drawbacks, but I feel that we could discuss what to do with this situation):
- allow package A to load internally B in another version than B has in the repository (so essentially we would have two versions of B - one used internally by A, other - available for the user; in the case there is a version clash - e.g. an object from global B is passed to local B in A - we error; something like this is already possible with modules - each module can have a submodule that has the same name, but different implementation)
- allow to install A anyway (e.g. some
add) and warn user that the user does it at ones own risk that A could not work correctly with latest version of B and it is not possible to find a feasible combination of versions that meet all the version restrictions
So my question to the community is:
- maybe I grossly do not understand something and we do not have this problem (it would be great then!)
- if we have this problem - then do you think any of the solutions proposed above would be acceptable
Thank you for any comments on this.