Consider allowing users to specify some NPM dependency versions themselves

[shayneczyzewski]

Is your feature request related to a problem? Please describe. We recently had an issue where a user needed OpenSSL3 support and it required a Prisma upgrade. They had to wait until we upgraded, tested, and cut a new release.

Describe the solution you'd like It could be interesting if we allowed users to set some NPM dependency versions locally, perhaps via environment variables. This may help them in cases like those above, but also when a particular setup is not compatible but we do not want to roll out a change for the entire user base. Additionally, it could help users and ourselves to test future releases (perhaps even in CI).

[Martinsos]

Interesting idea! I am a bit worried about the potential for them to mess things up this way -> they can pick a version that is not tested by us but it seems like it works and then it will bite them at some later point. What if they deploy to production with it? Maybe it is ok solution for them to wait for us to release a new version with updated stuff? I guess the question is, would this be giving them too much freedom, allowing them to shoot themselves in the foot too easily? I don't think there is a clear answer to this though. Maybe we can do it + give some warnings + see what happens? Or we can not do it and wait till it becomes a big enough problem and do it then if needed. Hm!

[shayneczyzewski]

Good questions! I think the wait and see approach makes sense. If we see this continuing to happen and we can think of safeguards, maybe it makes sense. Otherwise, we can just try to keep up to date as best we can ourselves.