|
|
|
|
|
|
by k__
2364 days ago
|
|
|
SemVer isn't useless because of major bumps, but because of the minor and bugfix. Theoretically every version change can introduce a bug, which leads to an implicit API change and as such require being a major version bump. Also, fixing a bug can also introduce an API change, because the API can behave differently with and without the bug. SemVer just covers the intent, not what's actually happening, which makes it kinda useless in most scenarios. I guess Elm gets it right, tho'. |
|
|
If I say "I'm leaving the office to get a sandwich", that statement only covers my intent. If I then sprain my ankle badly, my statement doesn't say what's actually happening.
SemVer has this flaw because it is a way for a human to say "this change does not introduce a change to the API" and that human can be wrong. That seems to me not useless, it just means it is only useful for projects who are willing to trust the maintainers of your dependencies to avoid being wrong about introducing bugs.
--------
It seems like you're arguing that a project which uses a dependency should:
1) Have humans check the dependencies anyway.
or
2) Wire up their automated test suite to something which can record calls to the API of the dependency and the results of those calls. Turn the record of those calls into an set of API contract test cases. Then, on any version bump (minor, major, or patch), run those autogenerated test cases on the new version.
... I think option 2 might be a good idea? It could be a required reviewer for any dependabot PR.