Transitive dependencies are part of public API and thus should increment version accordingly

[Primetalk]

What should I do if I update my own dependencies without changing the public API?

Use your best judgment. ... it MAY be best to perform a MAJOR version release ...

For Java the best judgment can be more precise.

1. Transitive dependencies are part of public API.

Let C be user's project, A be our library and d be a transitive dependency. And let's say that we want to use a newer version of d - d' - in our new version of A'. In Java application with the single class path there are two options: either transitive dependency jar be available on the user's classpath in the version d', or it'll be available in the previous version d (ceteris paribus). In the former case other modules/libraries that were expecting older version d would suffer from incompatibility, in the latter case our library would suffer. The degree of change is exactly equal to the degree of version change of d (MAJOR, MINOR, PATCH). Thus d is effectively part of the public API of our library A.

2. Hence whenever we change a transitive dependency version to some degree, we should change the version of our project to corresponding degree.

• MAJOR change in d => increment MAJOR part of version A;
• MINOR change in d => increment MINOR part of version A;
• PATCH change in d => increment PATCH part of version A.

Of course, we suppose that d follows semver recommendations.

Proposal: Amend this FAQ section and add a special notice for Java (as an important domain for semver).

For Java (and similar environments) transitive dependencies are part of the public API and thus the version of the user library SHOULD be incremented to the same degree:

• for MAJOR change in transitive dependency we SHOULD increment MAJOR part of our version,
• for MINOR change in transitive dependency we SHOULD increment MINOR part of our version,
• for PATCH change in transitive dependency we SHOULD increment PATCH part of our version.

If a few dependencies are being changed, only the highest degree is required to be incremented.

[aij]

This actually isn't specific to Java, but applies to any system that needs to resolve dependencies to a single version. (Which I think is actually most package managers, with the notable exception of NPM [which will instead wantonly break the build by installing incompatible versions of a dependency even when they are part of the API.])

[dlow-yahoo-inc]

I agree with the MAJOR change rule being generally applicable to most package dependency systems. This new rule leads to a new kind of necessary "MAJOR version increment hell" where a commonly referenced project makes a breaking API change and requires all upstream dependencies libraries / systems to make changes and subsequently increment MAJOR as well.

In the cases of MINOR and PATCH, many dependency systems let you specify version ranges and in most cases (>= A.0.0) AND (< A+1.0.0) work fine. So I don't know if there is a general need to increment your MINOR & PATCH every time a transitive dependency posted a new version.

That would simplify the amendment down to something like:

Transitive dependencies are part of the public API thus the version of the user library SHOULD be incremented when a direct dependency makes an incompatible API change:

• for MAJOR change in a direct dependency we SHOULD increment MAJOR part of our version

This rule applies recursively for all transitive dependencies.

[jwdonahue]

This is a "what is being versioned?" problem.

If you are shipping a dependency in your package, and that changes, your package version has to be bumped, but is it a patch, minor or major change? If it's the kind of package that works perfectly fine in side by side (SxS) installations and review/test shows little risk of breaking your customer's code, then it might just be a patch bump. It always comes down to what impact does this have on your customers? If it does not support SxS, then your customers must take the update to use your product, but this could break other products on their system that also rely on that package, so you need a matching minor or major version bump.

If you do not ship the dependency in your package and it changes without any corresponding changes in your code, no bump is needed. If you modify anything in your package, even a manifest, you have to bump something. Again, if you force your customers to take a change that could impact any other software installed on their system, you must bump either the minor or major version, depending on the level of changes made in that dependency.

I think the spec covers all of this, it's just that the full ramifications of it aren't always well understood. So I think I just talked myself into supporting some kind of change in the FAQ to cover these aspects, I don't think it would be Java specific at all.

[Primetalk]

@jwdonahue
My concern is mostly about JVM platform with a single classpath. If there is an option to use side-by-side deployment (like OSGi containers), then it might be possible to use different versions of transitive dependencies. However, this itself might be tricky.
In case of a single classpath JVM deployment, transitive dependency change is sufficient to break user's code, even if nothing has changed in the library's code. That's why the suggestion.

For example, let's take a look at http4s-core library:

org.http4s | http4s-core_2.11 | 0.16.5  | 11-Oct-2017 | pom  jar  javadoc.jar  sources.jar
org.http4s | http4s-core_2.11 | 0.16.5a | 11-Oct-2017 | pom  jar  javadoc.jar  sources.jar

Looking at this suffix a do you suspect any significant difference? If we take a look at the project's site, we'll find out that the difference is in a single transitive dependency - scalaz 7.2 or 7.1. If we research further (https://github.com/scalaz/scalaz/wiki/7.2.0), we'll find out that

This release is NOT binary compatible with 7.1.x and previous milestones, release candidate in the 7.2.x series

So switching 0.16.5 to 0.16.5a will cause major incompatibility in user's code despite that these versions have the same code except the transitive dependency.

That's why I think that this innocent looking suffix a should have been major version change (or at least 0.16 -> 0.17).

[jwdonahue]

I see your point, can you give us any examples where the major version >=1 ? I fear it may be unfortunate that you chose an example where breaking changes are in fact to be expected from any minor change, because the major version is zero.

I should also point out that version labels you use as examples, do not adhere to the SemVer spec.

[Primetalk]

This is a real example we have seen in our project. I can't remember a real example with semver versions.

Indeed, the version labels are not SemVer. However, we might replace the version labels accordingly.

For scalaz versions should have been v7.1.x and v8.0.x (instead of 7.2). What version change should be reasonable for http4s? This issue says that it should have been major part change. For instance, 16.0.0 -> 17.0.0, ... 16.5.0 -> 17.5.0 (with just a transitive dependency version change). Two branches might evolve in parallel but with the explicit major change.

[jwdonahue]

Ok, I think the spec already covers these cases. If you introduce a breaking change, you bump the major version. Should the FAQ cover every scenario that is a breaking change? Probably not, is Java worthy of a special mention? Perhaps.

Please do one or more of the following:

• Clone semver/semver.org, make the changes you propose and issue a pull request. I'm not certain you need to create an issue to link to over there or if you can just link the PR to this one (still a little green on GitHub).
• Close this issue at your earliest convenience.

[jwdonahue]

@Primetalk, apologies for ignoring this for so long. I appreciate that you have expended the effort to issue a PR and I think that should probably be merged. Unfortunately, @haacked has been very busy over the past year and might not get to it for a while. I have created issue #468 in order to step back and take a holistic look at the whole API/Package/Dependencies issue. I've come to the conclusion that if we work this problem piecemeal, we could make it worse, but some additional FAQ's such as yours might help. I also suspect that the spec can't really be fixed without a 3.0.0 version of the spec.

[ageeli158]

ImgBot

[ageeli158]

ImgBot