Can a library reach v1.0 when its dependencies haven't?
-
04-03-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Some widely used libraries are still versioned 0.x, which under semantic versioning, means they might break the API at any time. Examples of such libraries:
- numba v0.46, 1.2 million downloads on conda-forge
- pandas v0.26, 6.7 million downloads
- scikit-learn v0.21, 2.1 million downloads
There are many popular libraries with dependencies on numba, pandas, scikit-learn, or countless other not-quite-as-popular pre-1.0 dependencies, that themselves have reached v1.0, guaranteeing certain API stability when the major version number doesn't change.
It would seem to me that it's not possible to make such a guarantee when the dependencies don't. Does that mean that under semantic versioning, strictly speaking, a library can only reach v1.0 when all its (important) dependencies have?
Solution
It would seem to me that it's not possible to make such a guarantee when the dependencies don't.
There are many different ways to make such a guarantee. In fact, why would changing the API of an internal dependency affect the external API at all?
If I have a public API: add(a, b) -> returns the sum of a and b and implement it using a third-party dependency like this a + b, and the third-party changes their API to use words instead of operator symbols, I simply change the internal implementation to be like this plus(a, b) and nothing in my public API changes.
A second way to guarantee API stability would be to simply not update the dependency.
A third way would be to update your major version every time a dependency breaks its API.
A fourth way would be to fork the dependency and keep the API stable.
For example, many Linux distributions have Long-Term Support releases that promise backwards-compatibility, bug fixes, and security fixes far longer than the authors of the packages that are part of the distribution do. The distribution developers simply take up maintenance of those packages themselves when the upstream developers move to an incompatible version.
OTHER TIPS
The semantic versioning guarantee applies to the code within a library. It says, "as long as you use some version of mylib 1.*, your client code will not have to change."
But each of the 1.X versions can have dependencies on third-party software. As I read the definition of SV, there's no reason why these dependencies can't be "you need exactly libfoobar 0.46 to run mylib 1.2".
