(cross-posting from the GitHub issue linked above)
IMHO the essence of upper bounds is this: being able to compile an old unmaintained package should be a no-op.
Of course using a newer GHC might not be possible, but with upper bounds one is guaranteed to have at least one build plan that works, for some version of GHC.
As a test, someone tell me what dependency versions I need to make wai-middleware-authwork. It’s not a trick, I did spend a couple of days trying to figure it out and gave up 