Support package restore to work with "highest" while following constraints

[giggio]

Note: This is coming as a parallel request to an update on dnu. See aspnet/dnx#2657

We need to be able to tell nuget (and VS) to restore the highest available version from a dnx package. Right now it always resolves to lowest.

For example, if my app dependes on "[1,2)", this means I depend on at least version 1, and I accept anything up to version 2. But if 1.0.0 and 1.1.0 exist, nuget will always get 1.0.0.
There is no config at this moment that allows nuget to get the highest available version that works with a version spec. A higher version will only be selected if there is another package restricting the dependence to a higher range.

This is really important for package authors for fixing security issues, releasing minors, etc.

Node is a good example on how to work this.
Node allows patch updates with ~, like ~1.0.0 (anything from 1.0.0 to 1.1.0 - not included) and minor updates with ^, like ^1.0.0 (anything from 1.0.0 to 2.0.0 - not included).
Node also allow for wildcards with the x, like 1.x (anything greater or equal to 1.0 and lower than 2).

[emgarten]

This is possible already by adding the dependency to project.json and specifying the version as 1.*

[nugetlurker]

I think @giggio is saying that he wants the package author to specify that the is going to get bumped on restore. Did I get right?

[giggio]

It depends. Does 1.* mean "anything greater than 1.0.0"? Or "greater than 1.0.0 but smaller than 2?
Also, the * is not enough. How do I specify "greater than 1.3 but smaller then 2"?

Also, if I use 1.* for a dependency, and 1.0, 1.1, 1.2 and 2.0 are available, which one will it use?

Also, can we do 1.2.*? And what would it mean?

[yishaigalatzer]

So to answer your questions:

in project.json

1.* means literally a wildcard match so it will match 1.1, 1.2 and 1.3 etc.

There is no way to specify greater than 1.3 and smaller than 2.0, and I agree that's something that should be added.

You cannot specify 1.* for a dependency only on the project.json level (so not in the nuspec).

1.2.* means, 1.2, 1.2.1, 1.2.3, etc

[yishaigalatzer]

For package dependencies, we discussed this at length and at this point we don't believe this is something we are going to support.

A user can make that choice by including the dependency in project.json, but the package author will not be able to do that without revving his package version to ask for a new dependency. The desire is to keep a constant experience when installing a package.

This is a common decision we repeated in a discussion with the DNX team today.

CC // @lodejard @davidfowl

[giggio]

The problem with not supporting a way to configure installation of highest version by default is that we have to manually update our dependencies all the time. This can be time consuming as our dependencies grow, which is likely to happen. Why not allow me to control how I want to update my dependencies? If I want a constant experience I can use a lock file, or not specify a range. That should be the way to get the constant experience. If I am ok with minor or patch automatic updates, than I need to be able to specify that. I should be in control of that, not nuget or dnu. Please don't take that decision from me.

It is not clear to me yet if the 1.* syntax will allow us to install highest versions or simply work as wildcard, but keep installing the lowest version, prefering 1.1 over 1.2. What is the behavior for wildcard?

[emgarten]

1.* floats to the highest version. 1.2 will be selected at restore time in your example.

[giggio]

@emgarten excelent! 👍
So that works as I would expect, then. The only thing missing would be to specify "greater than 1.3 and smaller than 2", which in node is ^1.3.

[yishaigalatzer]

Would you mind sharing examples for your setups with specific packages/projects to help understand your scenanarios a bit better?

---

From: Giovanni Bassimailto:notifications@github.com
Sent: ‎9/‎12/‎2015 1:04 PM
To: NuGet/Homemailto:Home@noreply.github.com
Cc: Yishai Galatzermailto:yigalatz@microsoft.com
Subject: Re: [Home] Support package restore to work with "highest" while following constraints (#1360)

@emgartenhttps://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgithub.com%2femgarten&data=01%7c01%7cyigalatz%40microsoft.com%7ccfbf28affb5a46d9f79b08d2bbad6072%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=AfH%2fDp1Xy362XTFcpV%2b3cOQxgLr2crGvh30CsgkDRLw%3d excelent! [:+1:]
So that works as I would expect, then. The only thing missing would be to specify "greater than 1.3 and smaller than 2", which in node is ^1.3.

—
Reply to this email directly or view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgithub.com%2fNuGet%2fHome%2fissues%2f1360%23issuecomment-139815560&data=01%7c01%7cyigalatz%40microsoft.com%7ccfbf28affb5a46d9f79b08d2bbad6072%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=j53gGFC2ABW9H64s%2falgA0%2fkhjatK65AAHoTcbek76U%3d.

[giggio]

Sure. I am developing a set of libraries, and I would like that people using this libraries to be automatically updated to a determined patch, but not minor, versions, automatically.
So, for example, my latest release is 2.3.3. So they should be able to say that they want at least that version, and any bug fixes after that.
On node, we would say ~2.3.3. On nuget, if we say 2.3.*, they might get 2.3.0, which is not what they should be getting. This would not be common, as it would only happen if they get another dependency that states they depend exactly (or up to) 2.3.0.
If I release 2.3.4, they will automatically get this version when they restore again, right? So that already works.

So, I have another question, if they already have 2.3.3, and they nuget restore, does that mean that now they will get 2.3.4 on the packages directory, replacing the old version? Would this work on nuget 2 and 3? And would project.lock.json be automatically updated when you nuget restore, same as on dnu? And is there a lock file for nuget 2?

[yishaigalatzer]

If I'm reading you right, That does not happen for dependencies, you can only specify it as a user for your top level dependencies.

The reason this doesn't work is that restore is a step needs to be 100% repeatable, generating the same result.

The suggestion right now is for a package author to rev his whole package graph rather than edge nodes. So say your package is named A 2.3 depending on B 2.3, when you rev B to 2.4 you also rev A to 2.4.

Now a user though can depend on A 2.* (and not yet 2.3 through 2.*)

Does that make sense?

---

From: Giovanni Bassimailto:notifications@github.com
Sent: ‎9/‎12/‎2015 1:57 PM
To: NuGet/Homemailto:Home@noreply.github.com
Cc: Yishai Galatzermailto:yigalatz@microsoft.com
Subject: Re: [Home] Support package restore to work with "highest" while following constraints (#1360)

Sure. I am developing a set of libraries, and I would like that people using this libraries to be automatically updated to a determined patch, but not minor, versions, automatically.
So, for example, my latest release is 2.3.3. So they should be able to say that they want at least that version, and any bug fixes after that.
On node, we would say ~2.3.3. On nuget, if we say 2.3.*, they might get 2.3.0, which is not what they should be getting. This would not be common, as it would only happen if they get another dependency that states they depend exactly (or up to) 2.3.0.
If I release 2.3.4, they will automatically get this version when they restore again, right? So that already works.

So, I have another question, if they already have 2.3.2, and they nuget restore, does that mean that now they will get 2.3.3 on the packages directory, replacing the old version? Would this work on nuget 2 and 3? And would project.lock.json be automatically updated when you nuget restore, same as on dnu? And is there a lock file for nuget 2?

—
Reply to this email directly or view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgithub.com%2fNuGet%2fHome%2fissues%2f1360%23issuecomment-139819633&data=01%7c01%7cyigalatz%40microsoft.com%7c14fb47a99c6241e5402408d2bbb4c6ea%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=viM6o0PxTy%2fZiWDDvfY9o8jlzZWrhZlUcpyWgRTck9w%3d.

[giggio]

The idea that a restore should be 100% repeatable is debatable. Yes, it should be if that is what I want. This is usually true when we are releasing, but it is usually not true all the time when we are developing. So, if during development, a dependency is updated, on the next restore, very often, I want to get the new version, no the old one.
And the way to setup that is, throughout the industry, by using lock files.

Back to some questions:

Assuming we have published package A, version 2.3.3. If a user specifies his dependencies for package A as 2.3.*, and had already nuget restored and had version 2.3.3 already installed. When I release 2.3.4:

1. Will they automatically get version 2.3.4 on the next restore with nuget 2 and nuget 3?
2. Does that mean that the packages directory will get a new version, then?
3. Would project.lock.json be automatically updated when you nuget restore, same as on dnu?
4. Is there a lock file for nuget 2?

[yishaigalatzer]

1. That's not really debatable. Unless the user made an explicit choice to float, he will get the same version
2. There is really no such thing as nuget2 and nuget3, there are the usage of packages.config or project.json to define dependencies
3. There is no way to use stars or float in packages.config, nor there will be. The user has to run an update command.
4. In project.json the next restore will download 2.3.4 and put it in the global packages folder and write it into the lock file

---

From: Giovanni Bassimailto:notifications@github.com
Sent: ‎9/‎12/‎2015 6:33 PM
To: NuGet/Homemailto:Home@noreply.github.com
Cc: Yishai Galatzermailto:yigalatz@microsoft.com
Subject: Re: [Home] Support package restore to work with "highest" while following constraints (#1360)

The idea that a restore should be 100% repeatable is debatable. Yes, it should be if that is what I want. This is usually true when we are releasing, but it is usually not true all the time when we are developing. So, if during development, a dependency is updated, on the next restore, very often, I want to get the new version, no the old one.
And the way to setup that is, throughout the industry, by using lock files.

Back to some questions:

Assuming we have published package A, version 2.3.3. If a user specifies his dependencies for package A as 2.3.*, and had already nuget restored and had version 2.3.3 already installed. When I release 2.3.4:

1. Will they automatically get version 2.3.4 on the next restore with nuget 2 and nuget 3?
2. Does that mean that the packages directory will get a new version, then?
3. Would project.lock.json be automatically updated when you nuget restore, same as on dnu?
4. Is there a lock file for nuget 2?

—
Reply to this email directly or view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgithub.com%2fNuGet%2fHome%2fissues%2f1360%23issuecomment-139837368&data=01%7c01%7cyigalatz%40microsoft.com%7c0c0c4934d5f744cd555008d2bbdb5095%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=EtshPO2L%2fOgLJXN2YD8%2f1qlSdCQfXZpmmkQYBVTXYbM%3d.

[giggio]

Ok, so I will restate that so it clear to me. I write anything incorrect, please point the error.

Both nuget 2 and nuget 3 support package.config, but package.config does not support stars (*), which is the only way to float dependencies at the moment.
Only project.json support starts, but nuget 2 does not support project.json, so the only way to get dependencies to float is to use project.json, and move from nuget 2 to nuget 3.
The packages directory is only used on nuget 2, so that will never get floated packages.
When nuget restores a project.json that has a dependency with a star, it will always download the highest available version that satisfies that dependency spec, and save that change to project.lock.json.

Ok, I think I get it now. Thanks for all the help, everyone.

[yishaigalatzer]

Very accurate!

Sent from my Windows Phone

---

From: Giovanni Bassimailto:notifications@github.com
Sent: ‎9/‎13/‎2015 11:48 AM
To: NuGet/Homemailto:Home@noreply.github.com
Cc: Yishai Galatzermailto:yigalatz@microsoft.com
Subject: Re: [Home] Support package restore to work with "highest" while following constraints (#1360)

Ok, so I will restate that so it clear to me. I write anything incorrect, please point the error.

Both nuget 2 and nuget 3 support package.config, but package.config does not support stars (*), which is the only way to float dependencies at the moment.
Only project.json support starts, but nuget 2 does not support project.json, so the only way to get dependencies to float is to use project.json, and move from nuget 2 to nuget 3.
The packages directory is only used on nuget 2, so that will never get floated packages.
When nuget restores a project.json that has a dependency with a star, it will always download the highest available version that satisfies that dependency spec, and save that change to project.lock.json.

Ok, I think I get it now. Thanks for all the help, everyone.

—
Reply to this email directly or view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fgithub.com%2fNuGet%2fHome%2fissues%2f1360%23issuecomment-139907394&data=01%7c01%7cyigalatz%40microsoft.com%7c318d0bd82ac5431badee08d2bc6bf08a%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=vALsbt3RRvgANF9KJwizOk0ko8vwZN5ICAdYXZ193T4%3d.

[yishaigalatzer]

@giggio closing, as I believe this is now resolved in your mind. If you have a specific follow up, lets discuss a more targeted new issue