Use ^ constraint instead of == when adding poetry dependencies

[drdavella]

This is based on user feedback that more flexibility in versioning would be appreciated.

[clavedeluna]

Can you give a bit more details as to what the ask is? Because right now the package manager with poetry is able to retain any dependencies that do have "^", but our own dependencies that a codemod may add are added with == always.

[drdavella]

The ask is that when we add poetry dependencies we should use the ^ contraint instead of ==

[clavedeluna]

@drdavella I'd like to point out that this ask may cause issues. Here's an example.
We currently would add security = "==1.3.1" to a pyproject.toml poetry project. This is exact. The ask to move to security = "^1.3.1"would mean that we're saying that the dependency we're adding (security, defusedxml, etc) is safe and has the same API we expect in all minor and patch versions, as security = "^1.3.1" means ">=1.3.1, <2.0.0". While in most cases we'd hope that all of those minor/patch versions are as secure and have the API we expect, there may be cases when that's not the case.

(this also means we need to be better at managing the security package).

I'd also argue if we're going to allow for more flexible dependency versions for poetry, why not add "<2.0.0" for all our supported package stores?

What do you think?

[drdavella]

@clavedeluna I understand the risk although in this case I think that explicitly adding <2.0.0 is redundant since it's already inherent in the meaning of ^1.2.3 and also ==1.2.3.

[clavedeluna]

@clavedeluna I understand the risk although in this case I think that explicitly adding <2.0.0 is redundant since it's already inherent in the meaning of ^1.2.3 and also ==1.2.3.

what I meant is that, if we're going to do ^1.2.3 for poetry, then we should also stop doing ==1.2.3 for all other managers and do >=1.2.3, <2.0.0