Skip to content

Use minimal minor of 3rd-party dependencies #883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: future
Choose a base branch
from
Open

Use minimal minor of 3rd-party dependencies #883

wants to merge 3 commits into from

Conversation

@dbeuchler
Copy link
Member

@dbeuchler dbeuchler commented Nov 28, 2025
edited
Loading

For framework users, it is actually highly unnecessary—and often counterproductive—to always depend on the latest minor version. This PR reduces dependency versions wherever no newer features are required.

Here is an example:
A project uses MQTT 10.1.x in its application. Now the MQTT driver is released and demands 10.8.x, even though the driver does not use any feature introduced after 10.1.x. As a result, the user is forced to upgrade for no technical reason.
In the MORYX Framework we once had a clear rule: always reference the minimum minor version unless a higher version is explicitly required (for example due to security fixes or new features).
This principle should still apply. I will create an ADR for that.

The same applies to MORYX Drivers and Resources: They should reference 8.0.0 or 10.0.0, but not anything higher unless there is a strong reason such as a security fix or the usage of a new API. This is also one of the reasons I'm not a big fan of placing the MQTT driver and the OPC UA driver inside the monorepo: it becomes too easy for dependencies to drift upwards without justification.

Some reasons:

  1. Avoids unnecessary forced upgrades for users
  2. Ensures maximum compatibility across the ecosystem: Lower version requirements mean that more projects can combine packages without version conflicts.
  3. Reduces maintenance overhead for users
  4. Improves long-term stability
  5. Makes security and feature upgrades intentional
  6. Better semantic versioning discipline: Minor versions should only be required when the code actually consumes minor-level changes. Depending on the highest available minor defeats the purpose of semantic versioning.

@jsonBackup Could you adjust the dependabot configuration to this? On Future only propose major updates. Minors/Patches will be grabbed when they are necessary for a feature or after a certain amount of time. For OPCFoundation.NetStandard.Opc.Ua.Client only propose "patch" changes because the third value of the version is used as major for this package.

@dbeuchler dbeuchler added this to the Framework 10.0.0 milestone Nov 28, 2025
@dbeuchler dbeuchler self-assigned this Nov 28, 2025
@dbeuchler dbeuchler force-pushed the fix/dependencies branch 3 times, most recently from 8e26091 to ff56948 Compare November 28, 2025 11:45
1nf0rmagician
1nf0rmagician previously approved these changes Nov 28, 2025
View reviewed changes
@dbeuchler
Copy link
Member Author

dbeuchler commented Nov 28, 2025
edited
Loading

I reverted the change of OPCFoundation.NetStandard.Opc.Ua.Client because they moved any synchrounus API to extensions, so all tests are broken and they are not so easy to restore. This is a bigger topic and required more work. For MORYX 10 we should drop the sync-API on IOpcUaDriver #885.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@1nf0rmagician 1nf0rmagician 1nf0rmagician left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@dbeuchler dbeuchler

Labels

dependencies

Projects

None yet

Milestone

Framework 10.0.0

Development

Successfully merging this pull request may close these issues.

3 participants

@dbeuchler @1nf0rmagician