I can't speak to dep, but cargo has options that gives you the same degree of control over which part of your dependency graph should be upgraded to what. The default behavior is to rely on semver and assume "latest is greatest".
-
-
-
When looking at the go.mod files produced as examples, they to me end up looking end behaving remarkably similar to the lockfiles we have today. The same kind of tooling is also being proposed to build around it to manage upgrades.
- 2 more replies
New conversation -
-
-
You don't get volatile dependencies with lock files. The trade-off i see is who's responsible for advertising security updates and bug fixes: Library or application maintainers? Breaking semver constraints is painful regardless, but which group is more plentiful?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.