Relax prism version constraint

[gmcgibbon]

Right now, we have an upper-bound version constraint on Prism here:

rbi/rbi.gemspec

Line 27 in 15448ad

spec.add_dependency("prism", ">= 0.18.0", "< 0.22")

It looks like the original reason for this was to prevent a breaking change from affecting RBI in 2abfa69. In practice, this works well in the moment, but when applications need to specify a new version of Prism, they can't (because RBI is being strict for seemingly no reason).

This seems to have caused more strain on maintainers of RBI to release a new version for every version bump of a dependency, and that doesn't make sense. Can we relax this dependency to either:

• Remove the upper-bound entirely, and expect maintainers of Prism to fix unintended breaking changes with subsequent releases.
• Restrict to the next major version (1.0), and trust Prism to introduce breaking changes intentionally with a major version bump.

I'm asking because I got bit by this while testing a patch on Packwerk that's attempting to use Prism.

[vinistock]

Prism might still go through breaking changes in the Ruby API while the team works to integrate it with the Ruby compiler. We can't relax the constraints until the API is stabilized or we risk breaking rbi on a minor release from Prism.

We're waiting for confirmation from the team working on Prism that the API is stable and then we can relax the constraints and use major versions as the indicator of breaking changes.

[andyw8]

But might this also be an indication that we don't have full confidence in rbi's tests? Would improving those help to mitigate the risk of breaking changes?

[vinistock]

I don't believe that's the case. We do have confidence in the test suite, but if we relax the constraint people will be able to upgrade Prism and break RBI regardless of the tests.

Imagine this scenario:

• We relax the constraints to be prism < 1.0.0
• A breaking change is released in Prism v0.26
• Someone runs bundle update prism
• RBI will break after the update for end users, regardless of our test suite

[andyw8]

Closing as we still want to restrict the Prism version while there are breaking changes. Hopefully not for too much longer.

[rafaelfranca]

We should allow users to use any new version of prims they want, so they can report bugs (or not) to us. By restricting them we are artificially restricting what they do based on the possibility of anything breaking.

If there were a security bug in prism, we would be the ones restricting people from upgrading. This isn't a good solution long term, and it is false sense security.

If we are worried about prism breaking API, let's run CI every day with the main branch of prism to make sure we fix the problem before the release.