What is the policy when one enforces a newer (Node.js) engine version?
Is it semver MAJOR or semver MINOR?
Context: I'm the author of a package with 2k stars on github (30k downloads per week) and I recently enforced Node.js v14 (because I'm starting to use optional chaining and null coalescing everywhere), and made it a new MINOR version.
But some of my users are complaining and asking me to make that change a new MAJOR version.
Also previously, nobody complained when I enforced Node.js v10 on a MINOR version.
I can't find any resource about that matter, even the semver spec does not specify this (not even in the FAQ section). The spec only talks about the API.
I want to keep my project in line with the correct policy.
Quoting Isaacs from Twitter (#izs), author of the semver npm package (and by the way founder of npm):
I've always considered SemVer Major to mean "you will have to change something on your end to start using this update".
If the previous version worked on platform version X, and the new version requires platform version X+n, then that qualifies, yes.
This has been discussed here in many threads as well SemVer discusions. Some claim it is subjective, but I think if you were to replace the opinionated terms (API, Package, Product) with something like OBV (Object Being Versioned), you will see that spec and most of the knowledgeable participants agree with each other.
If your customer's build environment is broken because you issued a minor or patch release, they have every right to complain. The SemVer spec really focuses more on API versioning, than packages, though it does mention the later in a few places. So the key here is, most of us never actually version just an API, we version packages and the manifests within them, which also implicitly/explicitly include transitive dependencies.
The whole point of SemVer is to communicate risks to consumers of those OBV's. As a publisher, you are responsible for the entire dependency tree that you include in your OBV's. You can chose whether to implicitly or explicitly introduce a breaking transitive dependency into your OBV, therefore it is your responsibility to inform your customers of the risk by bumping the major version.
Related
Dependabot first reported and then retracted a security problem in a package. The basis of the retraction isn't given, just that the package "is no longer vulnerable." That makes no sense. The original CVE is still out there and the affected code is still referenced.
On investigation I find that the given package is in yarn.lock twice, once in a version that contains the vulnerability and later in a version that contains the patch:
ansi-regex#^2.0.0:
version "2.1.1"
ansi-regex#^5.0.0:
version "5.0.0"````
I'd be grateful for any way to make sense of this.
If you landed on this question due to your own "no longer vulnerable" error in a different package: you may still be vulnerable.
According to one of the Dependabot maintainers, the (suspected) most common cause of "no longer vulnerable" is when you are using multiple versions of the same dependency, and one of them is vulnerable, but not the lowest version. The maintainer's post says, in part:
Here's my current understanding:
The alerts are triggered by manifest parsing code that is a separate code path from dependabot-core's parsing code. So if the
alert manifest parsing code thinks the repo is still vulnerable, the
alert will persist.
npm allows multiple versions of a dependency in the dep tree... and these are used in the code at runtime... the newest is not
superseding the old one. So if those exist, you're still vulnerable.
dependabot-core has a known bug where it only updates the lowest version of a dependency... so Dependabot may try to create a PR, then
report that npm is no longer vulnerable, when in fact a later version
of the dependency is vulnerable and is still in the tree. That's
tracked in npm erroneously reports no longer vulnerable with multiple versions of dependency. #5741
The alerts are generated based on information in the GitHub advisory database. So if that database lists all versions > 0.16.5 are
vulnerable, but the maintaner just pushed v0.17.0 which fixes the
issue, then the alert will not disappear until the advisory database
is updated. Thankfully, you can submit a PR to the advisory DB to fix
an incorrect version specifier.
So I suspect that the majority of these cases are symptoms of #5741.
Dependabot issue #5741 says:
when there is a vulnerability that affects some versions of the dependency but not the lowest version. In this case Dependabot incorrectly reports that no security update is needed.
If this source is accurate, it's because the two ansi-regex versions you've listed do not contain the vulnerability:
Confirmed 4.1.0 and 3.0.0 as affected testing using the provided reproducer. 2.1.1 does not reproduce the issue.
3.0.0 is the first affected, as that's the first version that includes 69bebf6 that the problematic part of the regex.
Thanks to answerers for your expertise.
I think the most likely diagnosis is a Dependabot bug. Generally it is wishful thinking to blame your tools but in this case it is the simplest answer by far.
We have a node.js project, and we want to start managing its dependencies using npm's package.json with specified versions for each dependency.
However, we are afraid that one of the packages our project depends on might get unpublished. Should I worry about unpublishing or is it a rare occurrence? What is the most effective way to handle this kind of problems?
It is very rare occurence. Never happened to me.
Unpublish is mostly used to remove a published version in which a major bug is reported. Thus, automatic semantic versioning upgrade will not fetch this version until a new one is published.
Are there any plans for the ServiceStack packages to start using the SemVer standard? We just had an unfortunate circumstance where we were broken by the interface breaking changes introduced in 4.0.44 from 4.0.43 around OrmLite.
We are a sizable commercial customer and have a custom implementation of a OrmLiteDialectProvider for one of our DBMSs, it all seemed good upon the initial upgrade in our web application, however as part of testing the changes around type converting broke our system. This wasn't initially evident as part of the upgrade because our custom implementation is in a NuGet package which overrides OrmLiteDialectProvider.ConvertDbValue on version 4.0.38 which is now gone. There were no binding issues because it is only a minor version difference.
NuGet adopted SemVer back in version 1.6.
Having the SemVer standard would make it a lot easier for us to know when interface breaking changes have been made, without having to dig through the Release Notes page.
NOTE: The release also didn't indicate that the old method had been removed and upgrading would break any custom implementations.
UPDATE FROM RESPONSE
Anyway, fair enough answer. I can appreciate it would be difficult to track each package individually. In our case we wrote a custom dialect provider as we have a legacy DBMS that wasn't supported and this appeared to be the way we were supposed to add the support. We wanted to use ORMLite because we use the rest of ServiceStack and it's a fantastic product.
The new way to support the types is a great improvement and actually made our implementation easier.
We actually ran into this issue because we do always keep our ServiceStack packages inline and were upgrading the ASP portion for some fixes to the WSDL generation and this came along as part of our upgrade.
ServiceStack adopts a single rolling version for all NuGet packages which all share the same Version number. Of all ServiceStack's 60 NuGet packages it's likely there's a breaking change to at least one of the packages so semver would be useless, you should also never mix and match different versions of ServiceStack together - when you upgrade, upgrade all packages to reference the same package versions. We do aim to keep user-facing breaking changes to a minimum, by looking to deprecate old API's first, maintain parallel API versions for a while then list the new API's release notes.
IOrmLiteDialectProvider is not a user-facing interface
However IOrmLiteDialectProvider is not considered a user-facing interface since it should be extremely rare that anyone implements their own custom provider. It's also the interface for specialization for all RDBMS's and often changes with every release to support new features, internal refactoring, optimizations, etc. E.g. implementing Type Converters was a major internal refactor that required changes to IOrmLiteDialectProvider but did not affect OrmLite's external user-facing API, later releases includes optimizations requiring further changes, again this doesn't affect OrmLite's external user-facing API.
SemVer won't help here, every ServiceStack version potentially has a breaking change in some of the packages and we have no intention to complicate each release by versioning each of the individual packages differently. The issue you're having is depending on an unstable Interface that's not intended for customization. It's not treated as a user-facing API so we don't try to maintain compatibility with existing versions or publish breaking changes which happens nearly every time we add features / optimizations to OrmLite. You should instead check the commit history of
IOrmLiteDialectProvider for any changes to this interface.
When browsing the packagist.org repositories you see packages with these version numbers e.g. If you look at the Phpunit repo
There are a few instances
4.5.x-dev
4.3.x-dev
4.2.x-dev
Do these packages contain the current work the developers are performing towards basic updates, security and bugfixes etc on an otherwise basically stable package?
These are the dev branches. These are unstable and contain bug fixes, etc. This will eventually be released as 4.5.8 for instance (if the library is still supported).
You can get it by using 4.5.x-dev or 4.5.*#dev as version constraint.
I am working on a SaaS application with node.js using npm for managing dependencies. I am trying to decide what to do about the version number. Our release model will be to market features and release when ready, rather than marketing versions.
I am looking for advice on the version field for package.json. Since we won't be publishing the app to the npm registry, I can really use whatever version number I want. I really don't want to maintain a typical version number like 1.0, 1.2, 2.0, etc. Since a release is simply a project that ships when ready, dates make better versions for me, like "RELEASE_20130104", but npm requires that the version field in package.json be parseable by semver rules.
I am interested in hearing what the rest of the community has done for SaaS npm-based apps.
Requirements:
Effortless - I don't want to waste time debating between 1.2.0 or 2.0. It's just the next release.
Must satisfy the npm version syntax rules.
Nice-to-haves:
Scriptable through a build process, like extracting SVN branch and
revision number.
Version means something, like the release date.
Solutions I have come up with:
Strictly follow semver major.minor.patch pattern. This will require separate scripts for different release types and will be a nightmare for pre-release builds.
Express the release date in semver format like "2013.01.04"
SVN revision number + branch or tag name like "21484-BugFix21". Downside there is that non-release builds' versions don't tell you what release version they are branched from.
Pick a dummy version and never change it like "1.0.0". Track the version in the format I want in a separate field, like "appRelease": "2013.01.04".
I don't expect right or wrong answers. There are a ton of solutions. I am looking to see what approaches others have taken in the past.