For a while, we’ve been unable to upgrade to PHPUnit 11 due to a conflict in transitive dependencies. The crux of the problem is:
- Psalm (5.25.0) directly requires
nikic/php-parser: ^4.16, prohibiting 5.x. - PHPUnit (11.3.1) transitively requires
nikic/php-parser: ^5.1, prohibiting 4.x.
It is possible in the short term to retain PHPUnit 10.x, but it brings to light a certain limitation of Semantic Versioning: it tells you how to create version numbers for your own code base, but it does not carry information about the dependencies of that code.
When the required PHP runtime version goes up, what kind of change is that? SemVer prescribes incrementing the major number for “incompatible API changes,” or the patch for “backward compatible bug fixes.”
So, is it a bug fix? Is it incompatible? Or is the question ill-formed?
It feels wrong to increment the patch version with such a change. Such a release states, “We are now preventing the installation on {whatever Enterprise Linux versions} and below, and in exchange, you get absolutely nothing. There are no new features. Or perhaps we fixed bugs, but now you can’t access those fixes.” That sounds… rude.
Meanwhile, it seems gratuitous to bump the major version on a strict time schedule, merely because an old PHP version is no longer supported upstream every year. It appears to cause a lot of churn in the API, simply because making a major version change is an opportunity to “break” that API. PHPUnit is particularly annoying about this, constantly moving the deck chairs around.
In between is the feature release. I have the same misgivings as with the patch version, although weaker. Hypothetically, a project could release X.3.0 while continuing to maintain X.2.Y, but I’m not sure how many of them do. When people have a new shiny thing to chase, they don’t enjoy spending any time on the old, tarnishing one.
What if we take the path of never upgrading the minimum versions of our dependencies? I have also seen a project try this. They were starving themselves of contributors, because few volunteers want to make their patch work on PHP 5.2–8.1. (At the PHP 8.1 release in 2021, PHP 5.2 had reached its “end of life” about 11 years prior, four years after its own release in 2006.) Aside from that issue, they were also either unable to pick up new features in other packages they may use, or they were forever adding run-time feature detection.
As in most things engineering, it comes down to trade-offs… but versions end up being a social question, and projects do not determine their answers in isolation. The ecosystem as a whole has to work together. When they don’t, users have to deal with the results, like the nikic/php-parser situation. And maybe, that means users will migrate away from Psalm, if it’s not moving fast enough to permit use with other popular packages.
No comments:
Post a Comment