Spurred by recent events (https://news.ycombinator.com/item?id=8244700), this is a quick set of jotted-down thoughts about the state of "Semantic" Versioning, and why we should be fighting the good fight against it.
For a long time in the history of software, version numbers indicated the relative progress and change in a given piece of software. A major release (1.x.x) was major, a minor release (x.1.x) was minor, and a patch release was just a small patch. You could evaluate a given piece of software by name + version, and get a feeling for how far away version 2.0.1 was from version 2.8.0.
But Semantic Versioning (henceforth, SemVer), as specified at http://semver.org/, changes this to prioritize a mechanistic understanding of a codebase over a human one. Any "breaking" change to the software must be accompanied with a new major version number. It's alright for robots, but bad for us.
SemVer tries to compress a huge amount of information — the nature of the change, the percentage of users that will be affected by the change, the severity of the change (Is it easy to fix my code? Or do I have to rewrite everything?) — into a single number. And unsurprisingly, it's impossible for that single number to contain enough meaningful information.
If your package has a minor change in behavior that will "break" for 1% of your users, is that a breaking change? Does that change if the number of affected users is 10%? or 20? How about if instead, it's only a small number of users that will have to change their code, but the change for them will be difficult? — a common event with deprecated unpopular features. Semantic versioning treats all of these scenarios in the same way, even though in a perfect world the consumers of your codebase should be reacting to them in quite different ways.
Breaking changes are no fun, and we should strive to avoid them when possible. To the extent that SemVer encourages us to avoid changing our public API, it's all for the better. But to the extent that SemVer encourages us to pretend like minor changes in behavior aren't happening all the time; and that it's safe to blindly update packages — it needs to be re-evaluated.
Some pieces of software are like icebergs: a small surface area that's visible, and a mountain of private code hidden beneath. For those types of packages, something like SemVer can be helpful. But much of the code on the web, and in repositories like npm, isn't code like that at all — there's a lot of surface area, and minor changes happen frequently.
Ultimately, SemVer is a false promise that appeals to many developers — the promise of pain-free, don't-have-to-think-about-it, updates to dependencies. But it simply isn't true. Node doesn't follow SemVer, Rails doesn't do it, Python doesn't do it, Ruby doesn't do it, jQuery doesn't (really) do it, even npm doesn't follow SemVer. There's a distinction that can be drawn here between large packages and tiny ones — but that only goes to show how inappropriate it is for a single number to "define" the compatibility of any large body of code. If you've ever had trouble reconciling your npm dependencies, then you know that it's a false promise. If you've ever depended on a package that attempted to do SemVer, you've missed out on getting updates that probably would have been lovely to get, because of a minor change in behavior that almost certainly wouldn't have affected you.
If at this point you're hopping on one foot and saying — wait a minute, Node is 0.x.x — SemVer allows pre-1.0 packages to change anything at any time! You're right! And you're also missing the forest for the trees! Keeping a system that's in heavy production use at pre-1.0 levels for many years is effectively the same thing as not using SemVer in the first place.
The responsible way to upgrade isn't to blindly pull in dependencies and assume that all is well just because a version number says so — the responsible way is to set aside five or ten minutes, every once in a while, to go through and update your dependencies, and make any minor changes that need to be made at that time. If an important security fix happens in a version that also contains a breaking change for your app — you still need to adjust your app to get the fix, right?
SemVer is woefully inadequate as a scheme that determines compatibility between two pieces of code — even a textual changelog is better. Perhaps a better automated compatibility scheme is possible. One based on matching type signatures against a public API, or comparing the runs of a project's public test suite — imagine a package manager that ran the test suite of the version you're currently using against the code of the version you'd like to upgrade to, and told you exactly what wasn't going to work. But SemVer isn't that. SemVer is pretty close to the most reductive compatibility check you would be able to dream up if you tried.
If you pretend like SemVer is going to save you from ever having to deal with a breaking change — you're going to be disappointed. It's better to keep version numbers that reflect the real state and progress of a project, use descriptive changelogs to mark and annotate changes in behavior as they occur, avoid creating breaking changes in the first place whenever possible, and responsibly update your dependencies instead of blindly doing so.
Basically, Romantic Versioning, not Semantic Versioning.
All that said, okay, okay, fine — Underscore 1.7.0 can be Underscore 2.0.0. Uncle.
(typed in haste, excuse any grammar-os, will correct later)
You make some very valid points, and in most of my opinions about development, I'm old school (eg, I prefer Perl or C/C++ and even assembly language over Ruby or Rust--no offense to either; just my preferences--if something's not broke don't try to fix it) in most of programming preferences and opinions, having been coding since before most people even knew what the Internet was, almost nobody had a cellphone and you were still made fun of in school if you even knew how to turn on a computer. I grew up using BBS's, playing MUDs and coding in x86 assembly, Fortran or good old C89 on BSD and then Linux—and yes, DOS too and eventually Windows 3.1, although not CP/M. My first computer was actually a Commodore 64/128 lol. So I get what you mean about the humanity being removed from software development these days, similarly to how nobody wants to write actual desktop (or God forbid command-line/terminal) applications anymore—they try to turn everything into a damn smartphone app or "Webapp" [sic] with a "simple" design, which means featureless, no dialog boxes (everything opens in a Web-page-like view O.o), few configuration options and other weak design practices. In fact a lot of software isn't even developed or coded anymore. It's just put together like a puzzle. This has its advantages of course, for instance, reusability and sometimes code health and stability, but kind of like you said it takes the humanity out of development. We are not robots. I taught myself and was taught formally later to design, code, debug and configure a piece of software as a well-made, handsomely designed engine or a handcrafted piece of furniture, not on an assembly line using clumsily-fitting building blocks that weren't even intended to be used together (well this is hyperbole, but still xP).
My point is I agree with you for the most part. But I also was brought up to try and see both sides of every story (my step-dad was an LAPD officer and NOT easy to live with, but he taught me well and influenced my later decision to become a Marine) and see the good (and bad) in everything, since almost nothing in life is ever simply "black and white", but somewhere in between. So while 99% of your thoughts are also mine, and I'm glad I'm not the only "traditional" programmer out there, I do see some parts of semantic versioning and similar practices that could in some cases be advantageous.
Thank you very much for giving me another viewpoint, and letting me know I'm not alone. xP I couldn't find any other stuff that looked at semantic versioning as anything but perfection, and whenever I expand my development horizons or learn a new language I try and get a picture of the positive and negative points of its use, so you really helped me. :)