Disallow packages with outdated minor or patch versions

[MartinSStewart]

What the rule should do:
Check elm.json to see if any package are out of date. In this context, "out of date" is only if there's a package with the same major version and a larger minor or patch version.

When (not) to enable this rule:

In the rare cases where a patch or minor change introduces a breaking change to the logic of an existing function

I am looking for:

• Is this rule useful? I personally like that it consolidates a feature of elm-json into elm-review. The fewer elm tools I need to install the better!
• What should the rule be called?

I don't think this rule is possible to implement right now since elm-review doesn't give us information about packages. This issue is more of a data point for what's possible with more elm-review features.

[jfmengels]

I don't think this rule is possible to implement right now since elm-review doesn't give us information about packages.

It is not possible indeed with the feature set that elm-review has right now.
Technically, it is possible:

• Before running, fetch the dependencies on the package registry (try not to overload the registry server though!)
• Use that data to generate an Elm file
• Have the rule import that file
• Run elm-review

It's not great, but it would work.

What should the rule be called?

I'd go for NoOutdatedDependencies. I guess it would need to be named differently, since you want to exclude the major dependencies, so something like NoOutdatedMinorDependencies?. But maybe some would be interested in both, and then it could be interesting to have the rule configurable to do either of those (and then, NoOutdatedDependencies fits well).

Is this rule useful?

I certainly think knowing about outdated dependencies is useful. But I don't think it would work into an elm-review rule. Imagine a package you are using gets a new version, and now your project's tests will fail. This may be okay if you are the only one working on the project, but if you are on a team and this rule is running on CI, that will be quite annoying.

Elm Analyse lets you know that a dependency is outdated (even for major versions) in the web view, but it does not get reported as an error. That is also useful, but I am not sure how elm-review could present that to you. We'd probably need a new subcommand for it.

When (not) to enable this rule

I think it would be useful only for people who work alone on a project.

Also, it would be for people working on an application, since it's less necessary for packages to have updated minor/patch dependencies IMO.

[MartinSStewart]

I certainly think knowing about outdated dependencies is useful. But I don't think it would work into an elm-review rule. Imagine a package you are using gets a new version, and now your project's tests will fail.

There is a risk of this but I think in practice it would rarely happen. If the CI takes a long time then having to restart it might make this too annoying to use, but I can say I'd use a rule like this with my team at work (our CI takes 2-3 minutes).