Use more conservative net-http version constraint

[RDeckard]

Summary

Changes the net-http dependency constraint from >= 0.5.0 to ~> 0.5 to provide better protection against breaking changes in future major versions.

Motivation

The current constraint >= 0.5.0 is very permissive, as it allows any version upgrade, including major version bumps (1.0.0, 2.0.0, etc.) which could introduce breaking changes.

The new constraint ~> 0.5 provides better protection while maintaining flexibility:

• ✅ Allows all 0.x versions (0.5.x, 0.6.x, 0.7.x, etc.), giving downstream projects flexibility
• ✅ Blocks automatic upgrades to 1.0+ major versions, where breaking changes are expected
• ✅ Makes major version bumps more explicit in dependency update PRs

Changes

- spec.add_runtime_dependency 'net-http', '>= 0.5.0'
+ spec.add_runtime_dependency 'net-http', '~> 0.5'

⚠️ Additional important context ⚠️

This change was prompted by a recent incident with https://github.com/ruby/net-http/releases/tag/v0.7.0, which introduced a breaking change (removal of automatic Content-Type: application/x-www-form-urlencoded header for requests with a body) but was released as a minor version bump. Because of the permissive >= 0.5.0 constraint in faraday-net_http, projects using it as a transitive dependency were automatically upgraded to this 0.7.0 version of net-http during unrelated dependency updates, causing unexpected production issues.¹

Further improvements

While ~> 0.5 still allows 0.7.x (since it permits all 0.x versions), it provides protection against future major versions. If you'd prefer even stricter protection, we could consider ~> 0.6 instead, which would block 0.7+ entirely. However, this might be too restrictive for projects that have already upgraded to net-http 0.7.

WDYT?

Footnotes

1. Of course, the reviewer is ultimately responsible for checking all changes in the PR, including transitive dependencies. That said, bumping minor versions when introducing breaking changes makes it more likely such updates go unnoticed, raising the risk of unexpected production issues that are then particularly difficult to trace. ↩

[iMacTia]

This makes sense, thank you!

[wlipa]

Some of the ruby core team feel that this kind of conservative gem versioning is a bad idea; see comments in:

https://bugs.ruby-lang.org/issues/21657

[nevans]

In this particular case, not only would the ~> versioning not have prevented the breakage, but net-http doesn't use semver. For net-http's annual x.y release cycle, we also shouldn't expect v1.0 to include any more (or fewer) breaking changes than v0.8 or v0.9. IMO, there's really not much point to using ~> x.y with libraries that don't even claim to use semver. (And technically, even semver allows breaking changes for any 0.x release.)

IMO, the best approach in this case would be to petition net-http for a backwards compatible deprecation period, which I believe they are already leaning toward. (Notice that ruby/net-http#205 has been reopened.)

Tangentially, dependabot upgrading transitive dependencies without also collecting and reporting their release notes (changelog, commits, etc) is one of my biggest annoyances with it (that and the bug where it insists on converting emojis into shortcodes). I consider it a bug. I've seen dependabot upgrade rails as a transitive dependency for some development gem, without a word in the PR description.