Auth0 2.8.0 is unable to resolve dependencies

[swizzlr]

Checklist

• The issue can be reproduced in the Auth0.swift sample app (or N/A).
• I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Auth0.swift/Package.swift

Line 13 in 0245032

.package(url: "https://github.com/auth0/SimpleKeychain.git", .upToNextMajor(from: "1.1.0")),

now resolves to SimpleKeychain 1.2.0. 2.8.0 supports iOS 13, but 1.2.0 supports iOS 14.

The workaround is to either update to 2.9.0 or manually fix a dependency on SimpleKeychain at 1.1.0. A previously pinned package will continue to work until either an attempt is made to resolve without pins or if the user attempts to update all package versions with Xcode (which does not support selectively updating the package.resolved).

The impact of this is that any CI processes that currently resolve to 2.8.0 (e.g. upToNextMinor) and have unpinned dependencies (such as internal packages) will now arbitrarily break.

Reproduction

• Resolve a Swift package that depends on 2.8.0 (e.g. upToNextMinor or exact)
• See that it doesn't

Additional context

No response

Auth0.swift version

2.8.0

Platform

iOS

Platform version(s)

n/a

Xcode version

n/a

Package manager

Swift Package Manager

[desusai7]

Hi @swizzlr,

We are working on fixing this

[desusai7]

Hi @swizzlr,

Thank you so much for your patience! I'm happy to share that we've addressed this issue in our 2.9.0 release, which now pins dependencies to a specific version rather than allowing updates up to the next major release.

In the meantime, manually setting the dependency version should resolve the issue for you. Please let us know if you run into any further problems—we're always here to help!

[hsingh-texada]

@desusai7
I am absolutely furious with how this has been handled. As the owners of the Auth0 library, it is beyond unacceptable that you’ve likely broken the systems of hundreds of your customers with this change and haven't even bothered to release a patch. And then you expect us to manually adjust dependencies ourselves? This is completely outrageous.

At the very least, you should have released a 2.8.1 patch to fix the version pinning, which would have prevented this mess and ensured customers didn’t encounter the issue in the first place.

To make matters worse, 2.8.0 is a disaster. It should be treated as a faulty release, possibly removed altogether, and customers should be directed to the fixed 2.8.1.

Get this sorted out immediately. You're eroding customer trust, and this level of negligence is unacceptable.

[hsingh-texada]

Any updates here @desusai7 ?

[desusai7]

Hi @hsingh-texada,

Apologies for all the delay on this, we will release a patch for this.

[desusai7]

Hi @swizzlr, @hsingh-texada,

We've just released version 2.8.1 with the fix to this issue, please check this out and let us know if you run into any issues

[Meowzz95]

I think I'm getting the same issue with 2.10.0

How can I fix this? I tried 2.8.1 as well, didn't work