Open
Description
We recently had this happen in dwyl/auth_plug#76 and it's happened in the past too. ⏳
It's happening to me in the auth project while I try to update Fields:
mix deps.get
Resolving Hex dependencies...
Failed to use "ecto" (versions 3.3.0 to 3.9.1) because
ecto_sql (version 3.7.2) requires ~> 3.7.0
phoenix_ecto (version 4.4.0) requires ~> 3.3
Failed to use "ecto" (versions 3.7.0 to 3.7.2) because
ecto_sql (version 3.7.2) requires ~> 3.7.0
fields (version 2.9.1) requires ~> 3.8
phoenix_ecto (version 4.4.0) requires ~> 3.3
Failed to use "jason" (version 1.4.0) because
auth_plug (version 1.4.11) requires ~> 1.2
elixir_auth_github (version 1.6.2) requires ~> 1.2
elixir_auth_google (version 1.6.3) requires ~> 1.2
phoenix (version 1.6.6) requires ~> 1.0
phoenix_live_view (version 0.17.7) requires ~> 1.0
postgrex (version 0.16.2) requires ~> 1.0
rbac (version 0.7.1) requires ~> 1.3.0
mix.exs specifies ~> 1.3
** (Mix) Hex dependency resolution failed, change the version requirements of your dependencies
or unlock them (by using mix deps.update or mix deps.unlock).
If you are unable to resolve the conflicts you can try overriding with {:dependency, "~> 1.0", override: true}As noted in dwyl/auth_plug#76 (comment) this is one of my biggest frustrations with Hex. 😢
By upgrading to a later version of a dependency e.g. jason or plug in one of the packages we "control",
we are no longer able to use the package in a project where a different dependency relies on on an older version!
So we are forced to conform to the lowest common denominator in terms of updates.
Which is really bad for both security and performance. 🤦♂️
When a newer version of a package is released, provided all tests continue passing, everyone should use it!