Status: paused — exploring alternatives

This PR is on hold while we explore a less invasive design (see "Why we're pausing" below). Pushing the current state for posterity and so others can refer to it.

Problem

Mops currently requires exact version pins for all dependencies (e.g. core = "1.2.3"). Library authors cannot express compatibility constraints like "my library works with any core 1.x >= 1.2.3", and application developers must manually bump every transitive dependency version — there is no way for mops install to automatically pick up compatible patch/minor updates.

What this PR does

Adds caret (^) and tilde (~) version range operators, following npm/Cargo conventions:

• Caret ^1.2.3 = >=1.2.3, <2.0.0
• Tilde ~1.2.3 = >=1.2.3, <1.3.0
• Pre-1.0 caret follows Cargo semantics: ^0.2.3 = >=0.2.3, <0.3.0
• Bare versions remain exact pins (backward compatible)

CLI behavior:

• mops add core writes core = "^x.y.z" (caret default)
• mops add core@1.2.3 writes exact pin (unchanged)
• mops update preserves range type and bumps the lower bound
• Resolver validates transitive constraints and reports conflicts

Why we're pausing

Two issues surfaced during review that make this design more disruptive than it first looked.

1. Backend canister doesn't accept ranges

backend/main/utils/validateConfig.mo runs strict Semver.validate (x.y.z only) on every dependency in a published package's config, and PackagePublisher.mo does an exact registry.getPackageConfig(name, dep.version) lookup. A package published with core = "^1.2.3" is rejected by the canister at publish time.

The CLI prints a warning, but the publish still fails — the warning is misleading. Properly supporting ranges in published packages requires backend changes (relaxed validation + range-aware lookup), which means coordinating a canister upgrade.

2. The breaking-change surface is wider than expected

Even with the publish path fixed, every consumer reading a published mops.toml containing ^/~ needs a new-enough CLI to interpret it. Old CLIs would treat ^1.2.3 as an exact version literal, fail to find it, and break. This is a registry-wide one-way door: the moment any popular package adopts ranges, it forks the ecosystem by CLI version.

There is no good way to gate this behind an opt-in flag either, because the on-wire format change propagates to every downstream consumer.

3. Mops already does "compatible-ish" resolution implicitly

Today, when two packages depend on different exact versions of the same dep, the resolver picks the highest one. Effectively most users already get caret-like behavior for transitive deps without writing ^. The marginal value of explicit ^/~ syntax is smaller than expected, and concentrated on letting library authors narrow (with ~) rather than widen the contract — a less common need.

Alternative being explored

A separate PR will explore a Cargo-inspired approach hidden behind an opt-in experimental flag in mops.toml:

experimental = ["compatible-resolution"]

When enabled, bare versions in the consumer's own mops.toml are interpreted as caret ranges at resolve time. Crucially:

• No syntax change to mops.toml (no ^/~)
• No format change to published configs
• No backend changes
• No old-CLI breakage
• Opt-in per project

This is a much narrower experiment that targets the same outcome (automatic compatible patch/minor pickup) without the registry-wide blast radius. See follow-up PR (TBD).

What's salvageable from this PR

• The semver package integration and cli/semver.ts helpers
• The lockfile-shortcut bypass for explicit conflict detection (W1 fix)
• General resolver simplifications (stateless cache helper, tuple destructuring, redundant-check removal)

These can be extracted into smaller PRs independent of the range-syntax decision.

Test plan

• 18 unit tests for isRange, stripRangePrefix, rangeToSemverPart
• TypeScript + ESLint + Prettier clean
• Not landed — see status above