Rapid release cycles

[anantshri]

Hi Folks,

1. Thanks for making a massively successful opensource project.
2. I am just trying to understand here so please pardon if i sound unaware.
3. I am new to npm ecosystem so some of the questions could be out of ignorance.

For past multiple weeks, I have seen a very rapid release cycle with this project. which made me think about a few questions:

1. Is there any specific reason for such a break neck release cycle?
2. Do you do security releases seperately or in order to be updated and secure people just need to keep updating?
3. Whats the recommendation for projects, should they be upgrading every release? (I know this is subjective to project preferences but is there any recommendation from your side?)

I have been trying to go through the existing documentation and I might have missed answers to these questions in which case please do suggest where answers could be.

Thanks in advance for the help here.

[nex3]

We generally release whenever we have changes ready, as long as there aren't other changes that we expect to land immediately afterwards. There's not a particularly strong reason to have a feature ready and not make it available to users.

As an ahead-of-time preprocessor that doesn't have any built-in IO facilities beyond reading Sass files, Sass isn't likely to have security vulnerabilities. In the extremely unlikely case that it does, we'll release fixes as part of the standard release cycle. We don't have the resources to maintain multiple branches of the codebase over time.

I personally recommend that projects stay up-to-date using dependabot or similar tools. We try to avoid breaking changes whenever possible, so most releases will be fully compatible with previous ones. When breaking changes are unavoidable for CSS compatibility reasons, we produce deprecation warnings well before the breakage, so staying up to date will ensure you see deprecations in time to apply fixes before you're broken.