Yeah but version ranges are fiction. Some says: we require libpupa 0.2.0+. Sure you can find a version in that range. But what if it doesn’t work? How can you know that your library will work with all the future libpupa releases in advance?
Under semver, any dependency version X.Y.* is supposed to be compatible with any software that was built with version X.Z.* when Y > Z. If not, the author of the dependency has broken semver.
"Supposed to" being the operative phrase. This is of little comfort when you need version X.Y for a security fix but your build breaks.
Note that Maven is more complex than others here have mentioned. In some cases, Maven compares versions lexically (e.g. version 1.2 is considered newer than version 1.10).
It reminds me of the whole mess of Angular 2+ upgrades. It was I believe before lockfiles in npm? Literally every new person joining the team had to get the node_modules handed to them from someone else's machine for the project to work, since `npm install` could never install anything working together.
