Checking the bug mentioned, it was fixed in 2022.
So, I’m wondering how one would upgrade to scala 3, while keeping old version of libraries?
Keeping updated libraries is a good practice (even mandatory if you get audits like PCI-DSS).
That part puzzled me more than the rest.
I was considerably less impressed by the reporting when I finally found out the culprit.
Sure it was “Scala 3” … but not really.
It was an interaction of factors and I don’t think it would take away from the story to acknowledge that up front.
> I did it as usual - updating dependencies
but later
> After upgrading the library, performance and CPU characteristics on Scala 3 became indistinguishable from Scala 2.13.
So... he didn't upgrade everything at first? Which IMO makes sense, generally you'd want to upgrade as little as possible with small steps. He just got unlucky.
Pinning specific versions of transitive deps is fairly common in large JVM projects due to either security reasons or ABI compatibility or bugs
(For scala-specific libs, there is a bit more nuance, because lib versions contain scala version + lib version, e.g. foolib:2.12_1.0.2 where 2.12 = scala version)
First, the "good practice" argument is just an attempt to shut down the discussion. God wanted it so.
Second, I rather keep my dependencies outdated. New features, new bugs. Why update, unless there's a specific reason to do so? By upgrading, you're opening yourself up to:
- Accidental new bugs that didn't have the time to be spotted yet.
- Subtly different runtime characteristics (see the original post).
- Maintainer going rogue or the dependency getting hijacked and introducing security issues, unless you audit the full code whenever upgrading (which you don't).
The normal way.
> Keeping updated libraries is a good practice
So is changing one thing at a time, especially when it's a major change like a language version upgrade.
You can instead document exceptions for why all those vulnerabilities doesn't apply to your app, but that's sometimes more trouble.