Description
We were running async-http 0.70.0 (as a transitive dependency of async-http-faraday - we didn't have async-http explicitly, hence why dependabot didn't provide an update note for us - we typically only do dependabot updates for Gemfile packages, not transitive ones).
Note: async-http-faraday is open-ended in terms of being compatible with higher version minor versions for it's async-http dependency ( see https://github.com/socketry/async-http-faraday/blob/main/async-http-faraday.gemspec#L28 ).
That version depends on protocol-http2 via "~> 0.18" as per https://rubygems.org/gems/async-http/versions/0.70.0
Issue is we then updated protocol-http2 for other reasons (a different gem bumped it's requirement on it transitively) to 0.22.0, which broke async-http due to:
- protocol-http2 removed support for priority frame in v0.21.0 Remove suport for priority frame and stream dependencies. protocol-http2#23
While the async-http gem followed suit in v0.85.0 #192, the older version allowed this mismatch due to its open-ended dependency on protocol-http2. (We have since fixed the issue in our code base by also bumping async-http).
Given that async-http at newer versions is still openended:
Line 33 in e259845
Can async-http be more explicit on the higher end on what dependency versions it supports to avoid transitive updates breaking it in future?