Semantic Versioning and Dependency Changes

Question

Some context: I'm working on a team which produces 6 different NuGet packages, which depend directly, and sometimes indirectly, on each other. Simply, we could have a situation like p0 < p1 < p2, where package p0 depends on p1, which in turn depends on p2. We're trying to follow Semantic Versioning for these packages, but aren't quite sure what to do with p0's version when p1 or p2 changes.

Here are some concrete examples:

• p1 makes a breaking change (say 0.0.0 → 1.0.0). We want to publish a version of p0 which depends on 1.0.0. Should this be a major or minor version bump for p0?
• p1 makes a minor changes (0.0.0 → 0.1.0). Should this make a minor / patch version bump for p0?

More importantly,

Is there any standard / consensus on how dependency version changes should affect package version changes?

Answer 1

Semantic versioning is all about what the change means to the users of that library. So if the change in p1 doesn't cause a breaking change in p0 then I don't see why it would require a major version bump in p0.

Basically, use whatever versions of dependent libraries work (remember that your users could be overriding them with different versions too, based on your dependency rules!), your versioning should only reflect what will affect your users.

Warning, opinion based content ahead

In my opinion, there's a fair bit of "caveat emptor" if you are directly using a transitive dependency (ie, using p1 but only listing p0 as a dependency) as a client of a library. This goes double when you have a lot of dependencies (as in most NPM packages) that go many, many layers down. I don't expect the authors of those libraries to keep track of all version changes of all transitive dependencies so I know to check.