this post was submitted on 02 Jul 2026
145 points (98.7% liked)
Programming
27526 readers
354 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It’s the combination of “breaking changes on minor releases” and “disregard for … production environments”.
By the time you’re deploying to production, you should already have your versions locked in, so semver does not factor into resolving dependencies for production deployments at all.
I can understand it being annoying for development processes. Like, if you have a dependabot-style tool that tests against new releases and submits PRs for them, that can definitely be a waste of time and attention if it fails frequently on patch-level updates.
But in between that “eager testing” step and a production rollout, there needs to be a moment where a human reviews the updates and signs off on updating the lockfile.
And at that moment, reading the changelog, it really doesn’t matter if it says “1.0.1: breaking changes!” or “2.0.0: breaking changes!”, because you need to be looking at the substance of the update.
The only way semver violations burn you in a prod env is if you’re YOLOing new versions out there, either by forgoing a lockfile or by merging lockfile updates without review.
The reasonableness of your assertion kind of comes down to environment. Say NPM where people go nuts with dependencies (and is the subject here). If for instance there is a security issue in a package used by the package in question and you must update the package in question to get the package with the security warning updated, then you must update the package in question, and there is every expectation in the NPM ecosystem that semver is followed.
That said, being rude to the developers is immature and counterproductive, and moving to a different solution if a package repeatedly causes problems would be the sane course of action.