Twitter msg: semver compliance

[neilstuartcraig]

Hi

Just replying to your message on Twitter yesterday (in my TZ).

So I was referring to my #1 issue with some (thankfully a minority) not being semver (http://semver.org/) compliant (despite claiming to be). This would usually manifest most often in publishing of updates under say a patch release - this can cause serious breakage for packages which depend on the offending package.

Also a problem from time to time is package authors door a bad job of their dependency versioning, most often what I see is users requiring a package with a version of "*". Clearly this is a bad idea as a major release in the dependency could easily break the integration/usage.

Does that explain in the level of detail you need?

Another issue which springs to mind is people not stating a license for their software. This means that for example, at work, I basically can't use the package as it has no terms of usage.

Cheers

[konobi]

so essentially... make sure that all dependencies and devDependencies are declared with sensible semver strings rather than lazy ones?

[neilstuartcraig]

Yes, that's one side - but to make sure also that you correctly increment the relevant major/minor/patch component of your package version number. Needs both sides of the coin to be correct.

The licenses thing is critical too - of you want anyone to use your package!

Cheers

[konobi]

there is already a check in place for licensing. There's not really a way to statically check that a version is updated. So there's already a check to ensure that the version is semver.

Does that cover those cases?