Does Semantic Versioning allow 4 components in version numbers?

Question

All examples of semantic versioning I've seen show 3 components in use. No more than 2 period characters. At $DAYJOB, we use 4 components in our release numbers:

5.0.1.2

Does Semantic Versioning allow for this?

And as a higher-level and more arguable side question, does it really even matter? I started to think it might be a good idea to enforce semantic versioning, but ultimately entities like PCI override it.

I should have clarified on my PCI comment. The issue is that audits and their cost influence when the major and minor components change, not necessarily a true new feature. For example, if a feature related to payments is introduced, we bump the minor number for PCI. But if we add a brand new feature related to something in the gui, it doesn't. Only the patch changes. So in this case we don't really get a say in the matter as developers since someone else makes those decisions.

Answer 1

It sounds like you are bypassing normal conventions just to avoid process overhead/audits. That... strikes me as concerning.

What you are doing is effectively making an extra version number (your minor PCI digit) somewhat intentionally in order to move your feature/minor version numbers back a place, to no longer trigger your internal audit criteria.

---

Anyways, getting to your question about semantic versioning, the spec for Semantic Versioning states:

Given a version number MAJOR.MINOR.PATCH, increment the:

• MAJOR version when you make incompatible API changes,
• MINOR version when you add functionality in a backwards-compatible manner, and
• PATCH version when you make backwards-compatible bug fixes.
• Additional labels for pre-release and build metadata are available as extensions to the MAJOR.MINOR.PATCH format.

Emphasis mine.

So the question is, are you using the fourth character for pre-release/build metadata? Or is it basically another version indication that you are releasing?

If "yes" then semantic versioning's spec does allow for it. If "no" then you technically are not following semantic versioning.

And as a higher-level and more arguable side question, does it really even matter?

Whether you want to rigidly follow it or not is a decision you and your team have to make. The purpose of semantic versioning is to help with API compatibility:

Bug fixes not affecting the API increment the patch version, backwards compatible API additions/changes increment the minor version, and backwards incompatible API changes increment the major version.

I call this system "Semantic Versioning." Under this scheme, version numbers and the way they change convey meaning about the underlying code and what has been modified from one version to the next.

It's a system that helps make it more clear when versioning affects downstream users of the API.

As long as your API is similarly clear it's not a huge deal which way you choose. Semantic versioning just happens to be straightforward, for example if I'm using 3.4.2 and need to upgrade to 3.4.10 I know I can do so without breaking anything. If the new version is 3.5.1 I know it's backwards compatible. And I know version 4.0.1 would be a breaking change.

That's all part of what the version numbers mean.

@enderland Yes basically. MAJOR(PCI).MINOR(PCI).FEATURE.HOTFIX+BUILD. We're basically only allowed to change the 3rd and 4th component without getting PCI (and subsequently the PCI overlords at the company) involved. To me it feels like this is a bit contrived, I am not sure they are justified in the way they manage the version number, but I do not know enough about PCI and audit process to say otherwise.

Ok, this is fine. You have a system which works for you and meets your needs. That's the point of versioning.

If your API is private (only internally facing) it really doesn't matter how you version as long as it makes sense to you and everyone using it. Where versioning in a standard format matters is when you have many other consumers of your API that need to know "what does this version mean?"

Having an arbitrary versioning system will confuse people who are used to other systems, such as semantic versioning. But if no-one is really using your versioning system except the people creating it - it doesn't really matter.

Answer 2

In the current version of Semantic Versioning, which is 2.0.0, no. There is a requirement that defines the version as the form X.Y.Z where X, Y, and Z are non-negative integers that do not contain leading 0s:

A normal version number MUST take the form X.Y.Z where X, Y, and Z are non-negative integers, and MUST NOT contain leading zeroes. X is the major version, Y is the minor version, and Z is the patch version. Each element MUST increase numerically. For instance: 1.9.0 -> 1.10.0 -> 1.11.0.

However, the ability to add metadata is allowed for:

Build metadata MAY be denoted by appending a plus sign and a series of dot separated identifiers immediately following the patch or pre-release version. Identifiers MUST comprise only ASCII alphanumerics and hyphen [0-9A-Za-z-]. Identifiers MUST NOT be empty. Build metadata SHOULD be ignored when determining version precedence. Thus two versions that differ only in the build metadata, have the same precedence. Examples: 1.0.0-alpha+001, 1.0.0+20130313144700, 1.0.0-beta+exp.sha.5114f85.

Something important to note, though, is that Semantic Versioning is specifically for software that declares a public API:

Software using Semantic Versioning MUST declare a public API. This API could be declared in the code itself or exist strictly in documentation. However it is done, it should be precise and comprehensive.

This tends to support the development of libraries or services and not at an application level.

The important thing to consider is what your version numbers mean, both to internal and external use. Versions are just identifiers that allow you to talk about differences in software at two different points in time. Semantic Versioning is one method of putting rules around this, so if you know that an application is using Semantic Versioning, then you can more easily determine the level of effort required to update your packages. Following a common standard may be good, but if you can't for any reason, documenting the rules for your users should also be sufficient.