calva

pez 2025-10-28T15:29:42.792459Z

Dear Calva friends: https://github.com/BetterThanTomorrow/calva/releases/tag/v2.0.539https://github.com/BetterThanTomorrow/calva/issues/2959, by @arthurfucher Previous default versions: • nrepl: 1.3.1 • cider-nrepl: 0.55.4 • cider/piggieback: 0.6.0 Thanks, @arthurfucher for a great experience in getting help with Calva! calva ❤️ Also thanks to @seancorfield for helping us think the feature up! 🙏 So, this means that from now on Calva will by default always use whatever latest versions of Jack-in dependencies that the #nrepl team has cooked for us. The settings for this have changed semantics from “Hey, Calva slow in picking up nrepl updates, use these newest version instead” -> “Hey, Calva too fast, I’m not keeping up with the nrepl team’s pace, use these old version instead”. But it remains that if you have configured any versions, they will keep being used, and if you haven’t you’ll go with what Calva decided for you.

4
❤️ 2
🙏 1
🎉 2
Steven Lombardi 2025-11-19T01:30:14.223599Z

Hey Sean, you mentioned there's been a previous discussion about this. Where's that located?

seancorfield 2025-11-19T01:32:48.560699Z

@lambeauxworks which "this" are you referring to?

Steven Lombardi 2025-11-19T01:33:44.436589Z

Your first response to Phill. You mentioned another discussion.

Steven Lombardi 2025-11-19T01:34:36.650899Z

> just to check: have you read the whole of the previous discussion about this?

seancorfield 2025-11-19T01:34:42.258399Z

Heh, three weeks ago...

😂 1
Steven Lombardi 2025-11-19T01:35:34.443499Z

Just context hunting! :)

seancorfield 2025-11-19T01:39:39.203839Z

This feature was discussed before it was implemented, hence my question to Phill. Pros and cons. You'd have to search back in this channel. I'm on my phone.

Steven Lombardi 2025-11-19T01:40:11.247479Z

Gotcha.

2025-10-29T09:45:52.176829Z

Using an uncontrolled latest version by default (for Jack-in libraries, the LSP server, cljfmt, or anything else) increases most users' exposure to a supply-chain attack. Allowing the user to "pin" a version of each individual part is a robust alternative, but it saddles not the energized Calva groupies but rather the innocent masses with the inconvenience of researching which versions work together, and the burden, whenever a question arises, of not knowing whether it might stem from unusual version choices or something else. The inevitable catastrophe will strike people who did not know they had "asked for" it. I think the risk merits an opt-in. I would like to suggest a middle ground, a "use versions fixed by Calva" (default), vs "use versions I specify" of which each may be a number or "latest"? Would an issue be welcome, and would those be the choices?

seancorfield 2025-10-29T14:44:49.056969Z

@phill just to check: have you read the whole of the previous discussion about this?

pez 2025-10-29T14:54:08.759389Z

It’s unclear to me how this increased the supply-chain attack exposure. Can you elaborate on that particular one, @phill? As for any inconvenience in finding a working trio. Calva ships defaults, and adding the config will start with these defaults.

2025-12-03T00:05:31.155239Z

I am finding this a busy time of year... If someone beats me to https://github.com/BetterThanTomorrow/calva/issues/2969 or portions of it, their heroism will be appreciated!

2025-11-28T10:50:25.908279Z

To start with, I made an issue: https://github.com/BetterThanTomorrow/calva/issues/2969

🙏 1
pez 2025-11-28T10:53:08.661809Z

Friends do not let friends start with PRs without there first being an issue. 😃

seancorfield 2025-11-28T15:20:47.629439Z

Would it perhaps be better for the settings that allow you to override Calva's default jack-in dep versions to be a separate configuration file, rather than combined into settings? I know that would mean it wouldn't auto-sync to other machines (assuming users have sync enabled and use multiple machines!), but then it would be more visible in a project? customREPLCommandSnippets is already handled that way, yes?

seancorfield 2025-11-28T15:22:16.321919Z

Having the versions in settings just feels a bit buried and easy to miss/forget, since you can't actually set them in settings directly, you have to edit the JSON. I think perhaps I don't like any settings that you have to edit the JSON for, instead of being directly exposed in the UI...

pez 2025-11-28T15:32:58.753639Z

For the repl snippets there are mainly two reasons to support dual config buckets: 1. libraries can provide these 2. it’s Clojure code I just learnt that we can enable the settings UI for this config:

"calva.jackInDependencyVersions": {
  "type": "object",
  "description": "...",
  "additionalProperties": false,  // <-- This enables Settings UI rendering
  "properties": {
    // ...existing properties
  },
  "default": {
    // ...existing defaults
  }
}

seancorfield 2025-11-28T15:35:36.762799Z

That's already a huge improvement, IMO!

seancorfield 2025-11-28T15:37:34.960889Z

Can Calva surface internal (updated) defaults in the settings UI? In other words, user sets those versions to override Calva, then updates Calva -- can the settings UI show that Calva's new defaults after the update are different to what the user has explicitly set?

seancorfield 2025-11-28T15:38:01.674729Z

Or perhaps a warning at startup, showing both Calva's defaults and the user's settings?

pez 2025-11-28T15:51:00.199929Z

The Settings UI shows when a config has non-defaults. Also offers to reset it. The UI also shows if the setting has non-defaults in some other scope then the one you currently look at.

pez 2025-11-28T15:52:44.504729Z

We could print the messages about versions in the REPL Output destination in addition to printing it in the Calva says output channel.

seancorfield 2025-11-28T17:20:05.055189Z

Oh, that's nice. I didn't realize it would add all that information. Yeah, I think exposing those properties and adding a message to the REPL Output at jack-in would cover it (IMO).

👍 1
2025-11-27T11:42:04.808799Z

Oops, that thread took quite a turn! I lost track before it shifted to discussion of auto-updating tools upon every jack-in. Anyway, I just noticed an eloquent opinion (on a question unrelated to Calva) from @p-himik > If you want to always use the latest version of org.clojure/data.json - just don't. Dependencies are specified with a fixed version for a reason. > There's a keyword, RELEASE, ...that would make clj occasionally check for the most recent version.... But that should be used only for development tools, and even there it's usually a questionable practice. https://clojurians.slack.com/archives/C03S1KBA2/p1764153529030889?thread_ts=1764147772.350729&amp;cid=C03S1KBA2

pez 2025-11-28T07:59:03.569189Z

Alright @phill, I have let this stew a while now and I am coming over to your side. I’m now leaning towards that removing the “always use latest”, and not even have a setting for enabling it. We could use the facilities for fetching latest to help users to quickly configure latest dependencies as their pinned ones on demand, instead. You offered to cook a PR. Does that offer still stand? 😃

2025-11-06T10:47:48.185989Z

A colleague had an issue with after updating Calva, he was not able to start the REPL , and we discovered that the project that he was using has an old version of cider/orchard as dependency (`"0.34.1"`). When trying to run the REPL it throws an error:

ERROR: Unhandled REPL handler exception processing message {:op eval, :code *ns*, :id 1}
Updating cider/orchard to latest or defining the old versions of jack-in dependencies fix the issue. With that said, I was thinking more about this subject, and there is some cases that can happen when using latest versions by default: • They can have a conflict with some project dependency (as the example) • They can have bugs, and Calva users will get them first without previous testing • New versions of nrepl/`cider-nrepl` can have some breaking changes that need work on Calva side before release (probably will is a corner case, but is something to keep in mind) I think that the suggestion of @phill to make the user explicit says that he wants the "latest" version can be a good option. Another option that I thought is to not get the version directly from the repo central, and have some place with the versions already tested by someone, so it removes the need of bumping Calva with new versions, but this does not cover the first issue that I mentioned. Any thoughts @pez @seancorfield?

pez 2025-11-06T11:12:05.868169Z

> • They can have bugs, and Calva users will get them first without previous testing The #nrepl team is pretty good at keeping the quality up on their releases. I don’t worry much about this as long as users can easily use fixed versions, which they can. Same with the almost 0 breaking changes risk. Your colleague’s situation is more of a worry to me. That would have happened if we had manually updated the hardcoded default dependencies too, so is not really due to the auto-use of latest. What we should consider is if Calva can can help with suggesting courses of action when Jack-in fails. Like tell the user to check for nrepl dependency issues (and choose between pinning Calva’s dependencies or removing/updating the conflicting project config.) Maybe @seancorfield knows how we could create a dependency report/check for the relevant dependencies that could help users when they run into things like this?

pez 2025-11-06T11:13:54.133849Z

I think CIDER used to warn when using a combo of CIDER and cider-nrepl that wasn’t matching. Is that a correct memory, @alexyakushev?

oyakushev 2025-11-06T12:12:50.041489Z

Yeah, we still do that. However, regarding Orchard, there is no such warning. We treat Orchard as integral part of cider-nrepl, and users generally shouldn't set the Orchard version manually.

🙏 1
seancorfield 2025-11-06T16:57:30.656479Z

I don't really have an opinion. My only concern with using "latest" versions was caching of dependencies from deps.edn (using RELEASE or LATEST) but that doesn't apply here right? Calva is running code to figure out the actual latest versions (at startup?) and then using that for any jack-in operations, right? I generally use the very latest available versions of every dev-only dependency -- knowing that I may well run into the sort of bugs @arthurfucher mentions but also knowing that I can debug/fix those fairly easily.

2025-11-07T01:59:02.043769Z

The supply chain paradox is that every time anything is blindly updated to latest, there is a risk of malware. We naturally mitigate the risk by choosing carefully the version of the key dependencies and relying on them likewise to screen the transitive dependencies.

2025-11-07T02:19:58.550949Z

The other half of the paradox is that we (average beneficiaries of open-source) are preoccupied with our own art and usually do not particularly relish intervening to pin or override the version of any one transitive dependency out of the hundreds that our own art might be built on. Rather, we may like a degree of stability (reproducibility), a likelihood to be using the same versions as everyone else, etc.

2025-11-29T10:56:54.997379Z

Hm!!! I think the pictured settings UX improvement could make people not need a "suggest some version numbers" command. That is: you become aware of a reason to update (which means you may know a version number) and your brain stem quickly decides "do I pop open the familiar, easy-to-reach settings or do I hunt for the weird command" in favor of the VS Code settings UI.

pez 2025-11-29T11:31:47.599929Z

The help needn’t be a command. Like @seancorfield suggests we can print the latest versions in the repl output destination on jack-in, same style as we print it to Calva says today (and should keep printing, I think). What versions are being used, and what are the latest versions.

👍🏻 2