breaking change in 4.9.0 due to drop of node 6 support #172
Comments
|
AFAIK the changes aren't exactly backwards-incompatible, based on that my suggestion is:
It seems like these connectors have the same issue with dropping Node.js 6 support under a semver minor: Based on Module LTS, there shouldn't be a need to drop Node.js versions unless a breaking change was necessary to be compatible with the latest Node.js version:
/cc @strongloop/loopback-admins |
|
For the record: When we drop 6.x or 8.x, what we really did was to change engines in package.json. The module is still available for applications that run with lower version of node. See https://docs.npmjs.com/files/package.json#engines:
|
raymondfeng
changed the title
|
The changes are not node 6 compatible, such as using spread operators... |
|
@regevbr thanks for the info; Regrettably this may be a bit more difficult, as rolling back minor versions is a backwards-incompatible change in itself. A possible suggestion:
This may break other projects that are already utilising |
|
Thank you @regevbr for opening the discussion. I agree with you that ideally, when we remove support for a major Node.js version (e.g. Unfortunately, this does not work well with our LTS support policy. If we keep supporting EOL versions of Node, and there is a security vulnerability discovered in one of our dependencies, and this vulnerability is fixed in the latest version only, and that latest version no longer supports EOLed version of Node, then we cannot get the fix. If we are not able to fix security vulnerabilities in our LTS versions, then it's IMO no long-term support at all. We have discussed this for a bit around Node.js 4.x release (pretty much the first relevant release after 2-3 years of having everybody on Node.js 0.10). I believe we reached the conclusion that when having to choose between security fixes and strict adherence to semver rules, we prefer security over user convenience. BTW this gets even more complicated for major versions of the framework itself (e.g. My recommendation is to use package-lock and npm-shrinkwrap functionality to lock down your dependencies to the latest versions that still support Node.js 6.x. BTW I hope that you are aware that both Node.js versions 6.x and 8.x contain known security vulnerabilities? |
|
Hi @bajtos Thanks for a very detailed response! I understand your concerns, and I hope that you will find a better way to handle it in future products. I'm aware of the issues, and working hard towards upgrading my node versions, but that will take time... |
Thank you! ❤️
I am sorry for the troubles we caused. I know from my personal experience how annoying it can be when something that is working perfectly fine suddenly requires a lot of attention because the landscape provided by dependencies shifted a lot. Good luck! 🍀 |
|
Thank you! |
Hi,
You have dropped support for node 6 in version 4.9.0 which is completely acceptable as it is EOL, but that is a braking change and in order to adhere to semver, you can't publish that breaking change under the same major version.
Sadly, I'm still using node 6 and your change broke all my repositories.
Can you please roll back the release and make the changes in a new major version?
Thanks,
The text was updated successfully, but these errors were encountered: