Issue #16821 has been updated by colindkelley (Colin Kelley).


Thank you for the quick response. Yes, I will do refile there. Sorry for mistakenly filing here.

----------------------------------------
Feature #16821: gem version notation for "rational version" compatibility
https://bugs.ruby-lang.org/issues/16821#change-85327

* Author: colindkelley (Colin Kelley)
* Status: Third Party's Issue
* Priority: Normal
----------------------------------------
When a gemspec wants to express a version requirement, we typically use the `'~> '` notation like this:
```ruby
  spec.add_dependency 'nokogiri', '~> 1.8'
```
This indicates compatibility following the "rational versioning" as described here: https://github.com/ruby/ruby/blob/master/lib/rubygems/version.rb#L72
(basically the same as Semantic Versioning: https://semver.org/).

Anything >= 1.8 and < 2.0 is compatible.

But suppose a CVE comes out like this one: https://github.com/sparklemotion/nokogiri/issues/1915
Many developers reacted to that CVE by changing the requirement to:
```ruby
  spec.add_dependency 'nokogiri', '~> 1.10.4'
```
But that isn't correct, as it precludes an upgrade to 1.11. We need a notation that means >= 1.10.4 and < 2.0.

The only way to do that currently is to use a combination of two requirements:
```ruby
  spec.add_dependency 'nokogiri', '>= 1.10.4', '< 2.0'
```
I propose we add a "rational compatible" option that would do the above. We could choose any prefix to mean that. For example, `'=>'`. Then the CVE requirement could be expressed succinctly:
```ruby
  spec.add_dependency 'nokogiri', '=> 1.10.4'
```
And developers could use this "rational compatible" operator as their default for all gem requirements.

The implementation would involve adding one entry to the `OPS` hash in requirement.rb:
```ruby
    "=>" =>  lambda { |v, r| v >= r && v._segments.first < (r._segments.first.to_i + 1) }
```
Please LMK if there's interest. I would be happy to submit a Pull Request including tests and documentation.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>