Say packages A and B both depend on HTTP, but B isn’t being maintained anymore and still uses 0.9.17. A is fresh and up-to-date and can run on HTTP 1.5.1. I want to use both packages A and B in my application, but I don’t want to have to update package B to HTTP 1.5.1 just so I can have a single install of HTTP in my environment. Is there a solution to this?
I read somewhere that this isn’t possible? Isn’t that unfortunate if perfectly good legacy packages cannot be used just because people don’t have time to update and test its dependencies?
If you need to use both A and B simultaneously in the same application (i.e. you can’t install them in separate environments), then you’ll need to fork B and update its dependencies.
And possibly use that to suggest a pull request to the package, if the tests pass.
And if the authors are completely unresponsive (and the license permits so) at some point one can register a new maintained version with a new name, ideally passing it to some organization where this kind of problem is easier to resolve.
In my particular case the dependency is just six months out of date I will put in the work to update B. I’m thinking in a more complex case, if private copies of B and HTTP can be used, where the private HTTP stays at version 0.9.17 but gets a new UUID?