I have always wondered, why every readme wants me to put package versions in my mix.exs file.
E.g.: {:swoosh, "~> 0.12.1"} instead of {:swoosh, ">= 0.0.0"}.
In the first case I have to manually make sure my dependencies are always up to date.
In the second case I can call mix deps.update --all, run my test suite and see after the errors (if any).
In both cases my mix.lock will keep packages pinned to a specific version.
I would only pin a package if my software doesn’t run with the newest version. And only until that issue has been fixed
{:swoosh, "~> 0.12.1"} allows you to assume about a minimum set of functions available in your code, also when youre code is a dependency for others, they can make assumptions as well.
{:swoosh, ">= 0.0.0"} doesn’t give you any information about the dependency besides its name.
To elaborate on that point: Mix will only ever use one mix.lock file per project. So in a default mix project all the lock files of deps are ignored and only the version restrictions of their mix.exs files are used to resolve dependencies. In umbrella projects this holds as well, but the mix.lock is used for the whole umbrella, so dependencies between the multiple umbrella applications will be resolved by each respective apps’ mix.exs file as well.
Considering a mayor version update will almost always be because of api changes you can simply go with {:swoosh, "~> 0.12"}, which will let you update swoosh until v1.0.0 or for stable dependencies {:some_dep, "~> 1.x"}, which allows everything until v2.0.0
