Hacker News new | ask | show | jobs
by ivanbakel 2364 days ago
How is SemVer next to useless? The major version bump informs you that you should go look up what breaking changes have occurred before you upgrade. It is inherently useful for under-approximating the "safe" range of versions of a piece of software that can be used, which is seen in practice in many package managers.

That it can't differentiate between those two cases is because it's not meant to. It's like complaining that the blurb of a novel is "next to useless" because it doesn't tell you the complete story in a detailed way over several hundred pages.
1 comments
k__ 2364 days ago
SemVer isn't useless because of major bumps, but because of the minor and bugfix.

Theoretically every version change can introduce a bug, which leads to an implicit API change and as such require being a major version bump.

Also, fixing a bug can also introduce an API change, because the API can behave differently with and without the bug.

SemVer just covers the intent, not what's actually happening, which makes it kinda useless in most scenarios. I guess Elm gets it right, tho'.

link
afarrell 2364 days ago
> SemVer just covers the intent, not what's actually happening

If I say "I'm leaving the office to get a sandwich", that statement only covers my intent. If I then sprain my ankle badly, my statement doesn't say what's actually happening.

SemVer has this flaw because it is a way for a human to say "this change does not introduce a change to the API" and that human can be wrong. That seems to me not useless, it just means it is only useful for projects who are willing to trust the maintainers of your dependencies to avoid being wrong about introducing bugs.

--------

It seems like you're arguing that a project which uses a dependency should:

1) Have humans check the dependencies anyway.

or

2) Wire up their automated test suite to something which can record calls to the API of the dependency and the results of those calls. Turn the record of those calls into an set of API contract test cases. Then, on any version bump (minor, major, or patch), run those autogenerated test cases on the new version.

... I think option 2 might be a good idea? It could be a required reviewer for any dependabot PR.

link