Why Semantic Versioning Isn't

semantic-pedantic.md

Spurred by recent events (https://news.ycombinator.com/item?id=8244700), this is a quick set of jotted-down thoughts about the state of "Semantic" Versioning, and why we should be fighting the good fight against it.

For a long time in the history of software, version numbers indicated the relative progress and change in a given piece of software. A major release (1.x.x) was major, a minor release (x.1.x) was minor, and a patch release was just a small patch. You could evaluate a given piece of software by name + version, and get a feeling for how far away version 2.0.1 was from version 2.8.0.

But Semantic Versioning (henceforth, SemVer), as specified at http://semver.org/, changes this to prioritize a mechanistic understanding of a codebase over a human one. Any "breaking" change to the software must be accompanied with a new major version number. It's alright for robots, but bad for us.

SemVer tries to compress a huge amount of information — the nature of the change, the percentage of users that will be affected by the change, the severity of the change (Is it easy to fix my code? Or do I have to rewrite everything?) — into a single number. And unsurprisingly, it's impossible for that single number to contain enough meaningful information.

If your package has a minor change in behavior that will "break" for 1% of your users, is that a breaking change? Does that change if the number of affected users is 10%? or 20? How about if instead, it's only a small number of users that will have to change their code, but the change for them will be difficult? — a common event with deprecated unpopular features. Semantic versioning treats all of these scenarios in the same way, even though in a perfect world the consumers of your codebase should be reacting to them in quite different ways.

Breaking changes are no fun, and we should strive to avoid them when possible. To the extent that SemVer encourages us to avoid changing our public API, it's all for the better. But to the extent that SemVer encourages us to pretend like minor changes in behavior aren't happening all the time; and that it's safe to blindly update packages — it needs to be re-evaluated.

Some pieces of software are like icebergs: a small surface area that's visible, and a mountain of private code hidden beneath. For those types of packages, something like SemVer can be helpful. But much of the code on the web, and in repositories like npm, isn't code like that at all — there's a lot of surface area, and minor changes happen frequently.

Ultimately, SemVer is a false promise that appeals to many developers — the promise of pain-free, don't-have-to-think-about-it, updates to dependencies. But it simply isn't true. Node doesn't follow SemVer, Rails doesn't do it, Python doesn't do it, Ruby doesn't do it, jQuery doesn't (really) do it, even npm doesn't follow SemVer. There's a distinction that can be drawn here between large packages and tiny ones — but that only goes to show how inappropriate it is for a single number to "define" the compatibility of any large body of code. If you've ever had trouble reconciling your npm dependencies, then you know that it's a false promise. If you've ever depended on a package that attempted to do SemVer, you've missed out on getting updates that probably would have been lovely to get, because of a minor change in behavior that almost certainly wouldn't have affected you.

If at this point you're hopping on one foot and saying — wait a minute, Node is 0.x.x — SemVer allows pre-1.0 packages to change anything at any time! You're right! And you're also missing the forest for the trees! Keeping a system that's in heavy production use at pre-1.0 levels for many years is effectively the same thing as not using SemVer in the first place.

The responsible way to upgrade isn't to blindly pull in dependencies and assume that all is well just because a version number says so — the responsible way is to set aside five or ten minutes, every once in a while, to go through and update your dependencies, and make any minor changes that need to be made at that time. If an important security fix happens in a version that also contains a breaking change for your app — you still need to adjust your app to get the fix, right?

SemVer is woefully inadequate as a scheme that determines compatibility between two pieces of code — even a textual changelog is better. Perhaps a better automated compatibility scheme is possible. One based on matching type signatures against a public API, or comparing the runs of a project's public test suite — imagine a package manager that ran the test suite of the version you're currently using against the code of the version you'd like to upgrade to, and told you exactly what wasn't going to work. But SemVer isn't that. SemVer is pretty close to the most reductive compatibility check you would be able to dream up if you tried.

If you pretend like SemVer is going to save you from ever having to deal with a breaking change — you're going to be disappointed. It's better to keep version numbers that reflect the real state and progress of a project, use descriptive changelogs to mark and annotate changes in behavior as they occur, avoid creating breaking changes in the first place whenever possible, and responsibly update your dependencies instead of blindly doing so.

Basically, Romantic Versioning, not Semantic Versioning.

All that said, okay, okay, fine — Underscore 1.7.0 can be Underscore 2.0.0. Uncle.

(typed in haste, excuse any grammar-os, will correct later)

Those documented idiomatic "features" are just convention. Those conventions assume everything out there uses SemVer, and uses it correctly (even though the OP's point is that determining breaking vs non-breaking is not always an easy thing).

The tools don't know that minor bumps are supposed to be non-breaking, you tell them to freely update to what you think/hope will be non-breaking by specifying the version constraints. The tools don't misunderstand, they just do what you tell them to. But the users might, and that's kind of the point. Doing perfect SemVer, ie: never ever breaking anything on minor (or patch) bumps; managing to get important fixes that only exist behind a major bump out to users since so many, through convention, have specified to never take a major bump, etc.

Making the assumptions that SemVer insists on is stifling on both ends. Minor bumps do break things sometimes, even patch bumps sometimes change expected behaviors and break things, so users need to be more careful than just "lock the major, take all minor and patch bumps", and devs need to do so much extra work: in deciding whether to save things up for a big major bump, whether to shoehorn improvments back to previous majors, when to stop supporting a previous major or minor.

Many many packages already do say "the version numbers of my package have a different meaning". Linux kernel, anthing with CalVer, basically all modern browsers (when's the last time Chrome or Firefox didn't have a .0 minor?) Some Python libraries effectively only bump the major and patch, either because breaking changes are either super-rare or practically unavoidable and users are expect to read the docs. Some packages basically always have minor version locked in real world usage because they're unreliable about not breaking things. Yes, changing it on the fly might cause issues, but it can be done, maybe after a major bump, after all that's what it's for!

And we did't even get into the reproducibility argument yet, and that no one should be leaving even patch level updates to be applied on the fly at deploy time. Which comes back to OP: set aside time to do upgrades on a regular basis, read the docs for stuf you use, bump versions according to how those rules apply to your usage, test thoroughly, be prepared to have to make fixes no matter the size/type of the version bump, then lock those versions for consistent behavior throughout the workflow.

I can only speak for myself, but if there's any chance a new release could break something, I document it and give it a major version bump.

I worked in one setting where we built a very modular system - many versioned packages with many dependencies. We used the same policy of liberally increasing the major version number, even for conceptual (not technically) breaking changes, even for bug fixes when those were technically breaking changes, and while this frequently led to what we called "the dependency dance" (upgrading a slew of modules) this saved us tons of time for during the many minor and patch releases.

I worked in that setting for 5-6 years, and I can't recall anyone every releasing a breaking change with a minor bump.

So I reject the idea that it can't work.

Although I do agree that people suck at this.

I think a large part of the problem is the intuitive resistance to a major version bump, "it's just a bug fix, yeah it's breaking, but it doesn't feel major" - an intuition that was likely fostered by the many years or romantic versioning that software grew up with.

We did have to stamp it into the heads of the entire team to get them to strictly follow SemVer - but it worked.

Breaking or non-breaking is not a "think/hope" situation - it's a matter of diffing before you release, paying attention to any public interfaces that may have changed, and then accepting the fact that even a bug fix or conceptual change can be breaking, and bumping the major version number liberally.

It will feel wrong until you realize that it works, and it works the way it was intended. 😊

Yes, following SemVer to the letter is possible, and arguably (you just showed it) not difficult. The question was more about if those liberal major bumps for breaking* changes but that might only effect 1% of users, are worth inflicting the "dependency dance" on the other 99%. Sticking to perfect SemVer means you're choosing to do that.

Also remember that the need/want/requirement for major version bumps to "feel important" doesn't always come from the developers. It sometimes comes from management. And it can also come from user intertia: it's hard to justify spending the time on a "dependency dance" when the end result is a conceptual change in a part of a library that I don't even use, so that major bump might just get skipped until some free time pops up (hahaha!) or an actual security of bug fix is included.

Yes, SemVer works as advertised re: messaging around breaking vs non-breaking changes. But is it always worth the costs it can sometimes incur on users?

• (no need to say "technically" breaking for bugfixes if the rule is "a breaking change is breaking change no matter how big or small")

I worked in that setting for 5-6 years, and I can't recall anyone every releasing a breaking change with a minor bump.

And you haven't slipped a single bug in half a decade? 😬

And are all of your dependencies and subdependencies following SemVer to the letter, without exceptions? And there hasn't been a single bug in them?

This has been going for a while hasn't it. As a consumer of open source code, and a producer of open source and closed source code, I depend on SemVer being exactly what it says. There's no concept of "perfect SemVer", it's SemVer or not Semver.

The question was more about if those liberal major bumps for breaking* changes but that might only effect 1% of users

You can never tell for sure, unless you are tracking, what the size of the blast radius will be. Using SemVer is a clear message to everyone what is going on: there's a breaking change, be careful here.

But is it always worth the costs it can sometimes incur on users?

That is entirely up to the user to decide. Take the cost, or keep the current version. If I update a thing, it's up to the consumers of the thing to make the call on the upgrade, not my call as a producer of the software package/item.

There's no concept of "perfect SemVer", it's SemVer or not Semver.

Exactly.

But since virtually every library has (sub)dependencies that violate SemVer, every library has bugs, every library has (sub)depenencies that have bugs — it's never SemVer.

virtually every library has (sub)dependencies that violate SemVer

I'm going to see some real study data on that particular claim before I can accept it as truth, or even partial truth.

virtually every library has (sub)dependencies that violate SemVer

I'm going to see some real study data on that particular claim before I can accept it as truth, or even partial truth.

Here are some projects that don't follow SemVer and that your projects may depend on:

• Linux kernel: has breaking changes in patch versions
• Node: dropping platform support not always treated as a major version
• Rails: does not follow SemVer, with versioning not reflecting compatibility changes
• Python: officially not SemVer, minor releases can have breaking changes, especially in less-used features
• Ruby: officially not SemVer
• jQuery: has had breaking changes in minor updates
• npm: has had breaking changes in minor updates
• TypeScript: uses decimal-like notation: 3.9 → 4.0; never 3.10, minor version bumps can break types
• Express: had unexpected middleware behavior changes in minor updates
• ESLint: a minor version bump can cause ESLint to report more errors and break your CI build
• Next.js: head breaking changes in minor bumps more than once
• Cryptography (Python) :switched build system to Rust in a minor update (e.g., 3.4.0), breaking builds

This list can go on forever, virtually no project is a SemVer saint. And as you said, if it's not strictly SemVer, it's not SemVer at all.

And every bug is a SemVer violation! 🤯 Do you need "real study data" that bugs happen?

Another big issue is that there can be implicit dependencies on internal behavior of a library. E. g. I use a library in my app, it works. I upgrade the library's minor version and my app breaks. When I investigate, I find that some internal behavior of the library has changed. I confront developers about it — and they respond that it was private API that changed and they never promised it to be stable. Some race condition started to have a different outcome after the upgrade, or something like that, the specific behavior was not even documented, so library maintainers felt not responsible. Note that I wasn't even using any private APIs! I just used the library and it happened to have certain behavior which changed in a subtle way without a major bump, breaking my app but not violating SemVer because they didn't change any API footprints!

Believing that three numbers can protect your app from regressions caused by upgrades is just... ridiculously naive. I can't wrap my head around how many people smarter than me believe in this fallacy. It feels like SemVer is a religion that defies reason and critical thinking.

Every dependency upgrade must rely on an extensive test suite and occasional manual QA. In web development, if you do minor version bumps without at least reading changelogs — you are doomed to have occasional regressions. I web developer who hasn't had a single one in 5-6 years is a happy developer. I envy you.

Thanks for putting together that list! If those projects don't follow SemVer, but claim to, then that's definitely a badly-behaved project in that regard.

And every bug is a SemVer violation! 🤯 Do you need "real study data" that bugs happen?

I don't get the reasoning that a bug is SemVer violation. Is it because a bug is unexpected behaviour that can break your stuff?

I confront developers about it — and they respond that it was private API that changed and they never promised it to be stable.

That's on them--they are bad actors and are untrustworthy or unserious developers, imo. It's not helpful for us, the consumers, I know, but it's a message that you might need to change your risk assessment on using that software. Ok, it's funny to say that the Linux kernel developers are unserious, but if they have committed to SemVer, claim to practice it, and then do not, well then that's not a good look. (I don't know if they claim it, just picking the top of the list there. If no-one claims SemVer, then all your bets are off on versioning).

Believing that three numbers can protect your app from regressions caused by upgrades is just... ridiculously naive.

No-one believes that. We would like it if the people that produce software that has versioning and claim SemVer actually took their job seriously, but as you pointed out this is just not true. We would love teams/projects to be committed to their customers, but not all of them are. There's no naivety here, a version number doesn't protect you, as any software developer knows. That is why we have tests in place to check for subtle changes in behaviour, why we do incremental rollouts, etc.

The SemVer claim doesn't guarantee anything above and beyond whether you can trust the project developers to be true to their stated claims.

SemVer is not a religious thing at all, it's a behavioural commitment that a project gives to its consumers. Breaking that commitment, silently and with warning is a super dick move from a project.

If those projects don't follow SemVer, but claim to, then that's definitely a badly-behaved project in that regard.

Half of them claim to follow SemVer and have violated it. Others officially don't follow SemVer, but numerous libraries that depend on them —do.

---

I don't get the reasoning that a bug is SemVer violation. Is it because a bug is unexpected behaviour that can break your stuff?

A bug in a dependency can break your app. A dependency version that has introduced a bug is literally a breaking change. Bugs often appear in patch and minor versions, breaking apps all the time, routinely violating SemVer.

---

A common understanding of SemVer is that you can safely upgrade minor versions of dependencies, since they don't contain breaking changes. But a minor upgrade can break your app in many ways:

• A bug in the upgraded dependency or its subdependency.
• A SemVer violation in the upgraded dependency or its subdependency.
• A behavior change in the upgraded dependency or its subdependency, that is not technically violating SemVer because it's private API or under-the-hood logic that was never promised to be stable, but your app implicitly depends on it in a subtle way. You wouldn't even know about it until it breaks on a minor upgrade.

---

That's on them--they are bad actors and are untrustworthy or unserious developers, imo.

Let's not focus on "on whom it is" for a moment. What's important here is that all software development depends on projects that either don't follow SemVer or have been violating it. According to your definition of SemVer («There's no concept of "perfect SemVer", it's SemVer or not Semver»), nothing is SemVer.

If the SemVer spec itself had minor releases, it would be possible to find an itty-bitty nitpicking breaking behavior that would affect literally nobody but would still technically be a breaking change, making SemVer not SemVer.

---

The SemVer claim doesn't guarantee anything above and beyond whether you can trust the project developers to be true to their stated claims.

And the entire tree of their dependencies and subdependencies! That they don't have any control over and that they cannot realistically avoid using.

Breaking that commitment, silently and with warning is a super dick move from a project.

Looks like the only way of not being a dickhead for a software project is to announce that they're not attempting to follow SemVer at all. Which many projects do, and maybe partly for this very reason.

---

PS I'm not saying that I'm against the cause of SemVer. I wish the software development world worked like that, and developers' lives would be so much easier. But it's not and they're not.

I've just realized something, from the bug-breaks-app position stated above, that we are are looking at slight different aspect of applications of SemVer. I think I am applying it to library-level behaviours, individual packages eg if I am releasing a ruby gem, I'll check the behaviours before I ship it, making sure there's no breaking changes to the library as best I can, and definitely ensure that the API is scanned for no breaking changes. I mean, if you are a software provider you check as best you can that you are aligning with your commitment to your customers. So - I don't align with SemVer to an app, but I do align with SemVer on libraries that compose an app, if that makes sense.

I guess I have spent long enough differentiating between the "marketing" version of a thing, the "release" version of a thing, and any contractual guarantees that have been inked (for proprietary software) based on upgrade impacts and how to locally enforce them at the dev level. I've also worked with "an API is forever" organizations, where you have to keep everything moving along until people stop using the 0.2.1 API that was released 8 years previously.

Developers lives are not easier and are not getting easier and it's a pain in the neck, but now I have gone entirely off-topic. Thanks for the conversation 👍

@oisin writes:

Developers lives are not easier and are not getting easier and it's a pain in the neck, but now I have gone entirely off-topic.

I like to think about why developers lives are not getting easier. I think by choosing to "move fast and break things", we are causing our own headaches. Consider how smoothly developers survive major versions of the Linux kernel, make, gcc, libc, and other tools, libraries, and languages that "don't break userspace". I can run a 40 year old Makefile today to compile a program which will run correctly (see my 2015 article Major Release Syndrome).

SemVer seems to give us a license to ignore backward and forward compatibility.

And you haven't slipped a single bug in half a decade? 😬

Of course.

If we accidentally shipped a breaking change as minor, a patch release would be issued, reverting that change.

Then a major release would be shipped.

And are all of your dependencies and subdependencies following SemVer to the letter, without exceptions?

We can't control what third-party dependencies do - but for some reason, most of the third-party Composer (PHP) packages we used were very well versioned. NPM for some reason is much worse about this. It could be cultural, in part, but I suspect maybe a large factor is PHP has type-hints. (Not sure if the situation is better for TypeScript packages? I haven't really thought about it before.)

And there hasn't been a single bug in them?

Everyone ships bugs, I'm not claiming we did it perfectly - we took versioning seriously, that's all. 😊

There's no concept of "perfect SemVer", it's SemVer or not Semver.

That is the hard line stance we took as well.

But is it always worth the costs it can sometimes incur on users?

That is entirely up to the user to decide. Take the cost, or keep the current version. If I update a thing, it's up to the consumers of the thing to make the call on the upgrade, not my call as a producer of the software package/item.

Exactly this.

By liberally increasing the major version whenever it seems prudent, your users get to make a conscious and deliberate choice - we also maintained a mandatory change log explaining any breaking changes, why they were made, and how to upgrade.

every bug is a SemVer violation! 🤯

Not strictly wrong.

But of course, the intention with SemVer is to document/specify with version numbers what you know.

Bugs aren't normally known at the time of release, and so of course no one can be expected to get this right 100% of the time.

What we can do, is roll back a breaking change that we versioned as a compatible change, and correct the mistake - every bug is a SemVer violation, but one that you've committed to correcting with another release to restore SemVer compatibility.

I confront developers about it — and they respond that it was private API that changed and they never promised it to be stable.

For internal members, we used the @internal annotation - calling an internal constructor (or method) will highlight with a warning in most IDEs. Users should understand what this means - if you're using something that's internal to the package, it's subject to refactoring, and there are no guarantees or commitment that it'll even exist in the next release. We taught our team to do this.

SemVer is not a religious thing at all, it's a behavioural commitment that a project gives to its consumers.

💯

every bug is a SemVer violation! 🤯

They are GENERAL API specification violation, regardless of what versioning you use.

When that happens, the appropriate response to fix the bug in a new patch release.

Thankfully, SemVer helps us communicate that! 🎉