this post was submitted on 02 Jul 2026
145 points (98.7% liked)

Programming

27526 readers
354 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Rules

  • Follow the programming.dev instance rules
  • Keep content related to programming in some way
  • If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev



founded 3 years ago
MODERATORS
 

I saw an issue today on a fairly popular project (better-auth, see the link to the issue attached). No repro, no context, just a wall of caps and profanity ending in "fuck you". The maintainers ship this for free. People run production businesses on top of it, for free. And the thanks is someone raging into a text box because a minor bump cost them an afternoon.

I maintain and contribute to a few projects myself, so this hits a nerve a bit. Something people don't see from the outside: it's not enough to know how to build the thing. You also have to know how to defuse a thread where someone's insulting you and not fire back, even though most of us aren't paid for any of it, let alone the work of staying civil while being told to get fucked.

I'm not pretending breaking changes don't cause real pain (that's what the issue is about). But I keep coming back to a boundary question: if you're not paying for it, do you actually get to demand anything? (Obviously yes, but we still need some boundaries)

you are viewing a single comment's thread
view the rest of the comments
[–] Kissaki@programming.dev 2 points 6 hours ago* (last edited 6 hours ago) (1 children)

What makes you think it's a lockfile issue? If they sighted a patch upgrade then updated the lockfiles but then noticed a breaking change, then lockfiles are irrelevant.

If it's actually like they claim, I understand the frustration. (Not that I know this project in particular or how it gets integrated.) Without clear versioning and/or changelogs/release notes managing upgrades is cumbersome, sometimes impossible.

In some cases I've had to ask for clarification in PRs because release notes were not clear, PR was not clear, and resolved ticket was also not clear on the thing or solution.

Apparently they had issues before, so maybe they could have expected "patch may not be patch-only".

[–] kibiz0r@midwest.social 6 points 4 hours ago (1 children)

It’s the combination of “breaking changes on minor releases” and “disregard for … production environments”.

Can you stop releasing breaking changes on minor releases? It's absolutely infuriating that you guys keep doing this over and over again with complete disregard for people downstream using this package in production environments.

By the time you’re deploying to production, you should already have your versions locked in, so semver does not factor into resolving dependencies for production deployments at all.

I can understand it being annoying for development processes. Like, if you have a dependabot-style tool that tests against new releases and submits PRs for them, that can definitely be a waste of time and attention if it fails frequently on patch-level updates.

But in between that “eager testing” step and a production rollout, there needs to be a moment where a human reviews the updates and signs off on updating the lockfile.

And at that moment, reading the changelog, it really doesn’t matter if it says “1.0.1: breaking changes!” or “2.0.0: breaking changes!”, because you need to be looking at the substance of the update.

The only way semver violations burn you in a prod env is if you’re YOLOing new versions out there, either by forgoing a lockfile or by merging lockfile updates without review.

[–] Feyd@programming.dev 1 points 1 hour ago* (last edited 1 hour ago)

The reasonableness of your assertion kind of comes down to environment. Say NPM where people go nuts with dependencies (and is the subject here). If for instance there is a security issue in a package used by the package in question and you must update the package in question to get the package with the security warning updated, then you must update the package in question, and there is every expectation in the NPM ecosystem that semver is followed.

That said, being rude to the developers is immature and counterproductive, and moving to a different solution if a package repeatedly causes problems would be the sane course of action.