Package Manager Usage

[ahasselbring]

• Do we want to have Cargo.lock and package-lock.json checked in? Rust says that for libraries, versions should not be pinned, but for applications, they should. Does this conflict with the idea of having them in a shared workspace? (at the moment, game_controller_app has its own dependencies, but only because tauri cannot handle workspace dependencies in the latest released version)
• Are the version specifications in Cargo.toml and package.json reasonable?

I usually don't write software in ecosystems where you add dependencies this way, so I have no idea what "the right thing" is.

[jayenashar]

package.json isn't pinned. ^ means it can upgrade the patch level

[ahasselbring]

According to the documentation, ^ can also upgrade minor (and ~ only patch level). The question is rather what we want.

If I understand it correctly, then for packages which can be trusted to use semver correctly (do those exist?), ~ would be okay (and ^ not necessary because if new features from a minor release are needed the version should be updated manually), while for packages without a strict version scheme we should pin an exact version?

[jayenashar]

^ is perfectly normal for node projects, so i think we should keep it. the package-lock says explicitly which versions are known to work