Our great sponsors
-
pragmaticversioning
Pragmatic versioning optimizes for communicating changes to a package to package consumers, while retaining simple semantics for package maintainers.
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
Yep, originally I wrote BIGRELEASE.MAJOR.MINOR but I didn't want to confuse the terms. (The first commit shows this: https://github.com/seveibar/pragmaticversioning/commit/70b76...) Good read :)
The biggest issue with semver is that it encourages compatibility breakages unoer a false promise that increased major version number saves the users from the dependency hell.
https://github.com/semver/semver/issues/771
I liked the ideas behind another semver alternative called "imver" or "Immutable Versioning" (https://github.com/imver/imver/blob/master/imver.md)
that never quite caught on.
A lot of the communications regarding End of Life for Support is done very effectively here: https://endoflife.date/
From your issue link:
> Then commons-logging changes its API incompatibly and is released as commons-logging 2.0.1. Authentication adopts commons-logging 2.0.1 while other libraries still depend on 1.1.1
> Now my-application is broken, because the dependency tree includes two versions of commons-logging which share packages, class / functions names, and thus can not be loaded simultaneously.
I absolutely don't see how this is a problem with semver, it is not the responsibility of semver to tell a language how packages should be isolated and loaded. That is a problem of a) the language and b) dependency resolution in the package manager.
> SemVer is a product of Ruby community.
Bundler, by design, does not allow the above, instead having a flat, consistent vision of dependencies.
NPM though, allows that, allowing nested dependencies, by virtue of the ES6 module system importing to a variable in a lexical scope. Go also allows that, by virtue of its imports being scoped to a package (or file, I can't recall).
Ruby can do that kind of isolation too. In fact, I've done it: https://github.com/lloeki/pak
Unless packages leak to globals each version is oblivious to the one next to it. Unless package dependents communicate with one another using objects from the packages they can happily live in their own world. Now if they do, then it's like hitting a HTTP /api/v1 with an HTTP /api/v2 client and somehow wishing things will work. Either the package (which should not leak globals / disallow cross-version communication) or the language (which should not allow leaking globals / detect incompatible communication).
None of this is the responsibility of semver.
Similar goal, different approach:
https://gitlab.com/staltz/comver/-/blob/master/README.md
> I absolutely don't see how this is a problem with semver,
Strange to not see it. Semver promises to solve dependency hell. In the example everyone correctly followed the sevmver and the app is broken by a dependency hell issue.
> it is not the responsibility of semver to tell a language how packages should be isolated and loaded. That is a problem of a) the language and b) dependency resolution in the package manager.
So semver only works for "good" languages?
> Bundler, by design, does not allow the above, instead having a flat, consistent vision of dependencies.
Ok, so what happens with the app when packages managed by Bundler get fragmented by depending on an incompatible version of sub-dependency (commons-logging 1.1.1 vs 2.0.1 as in the example)?
Also note, even for languages and tooling supporting multiple library versions loaded side by side, there are scenarios where things break.
For example, the "libc apocalypse" situation in Rust https://github.com/rust-lang/libc/issues/547
Here after the "libc" module released a major version, the definition for the `void` C type in two versions of the lib are considered by the compiler as two different types, resulting in breakages everywhere around the library ecosystem.
There are also scenarios for dynamic languages / runtime errors.
> None of this is the responsibility of semver. In fact, semver would help the language provide tooling to detect that kind of "hey this instance is from foo-1.0 but you're trying to consume it in foo-2.0".
And what's next after it detected the dependency hell? It's too late and the person suffering is not in the position to fix it. You have to upgrade to "authentication 1.1.2" for security compliance, because the version 1.1.1 has known vulnerabilities. But that breaks the application, because the maintainer of the lower level dependency "commons-logging" follows semantic versioning.
The promise was to prevent dependency hell, not to detect it.
Quoting the ticket and reiterating the point of my first comment above:
Once again, the point of this ticket is to:
Remove the false promise that SemVer solves dependency hell by simply increasing major version.