I prefer to either force developers to update their dependencies, or find alternative ways to make the code work independently of the dependency.
In the case of poison requirement, I would guess a better solution would be to just relax requirement in mix.exs, or make it so geoip doesn’t care whether poison is there, and instead you can switch out the json decoder the same way as in Phoenix and e.g. use jason instead.
If I got no other options, then I would do the following (this is from Pow):
@spec dependency_vsn_match?(atom(), binary()) :: boolean()
def dependency_vsn_match?(dep, req) do
case :application.get_key(dep, :vsn) do
{:ok, actual} ->
actual
|> List.to_string()
|> Version.match?(req)
_any ->
false
end
end
I can then check the dependency version requirement like this:
if Pow.dependency_vsn_match?(:ecto, "< 3.0.0"), do: Mix.Ecto, else: Mix.EctoSQL
I use the above only in mix tasks or at compile time, since the dependency version is fixed at compile. I wouldn’t do this at runtime.
