How should inter-related software packages be versioned?

Question

Some open-source projects make combined releases where the version number of each package(library) is increased to the same version.

Examples in Java are:

• org.springframework
• com.fasterxml.jackson
• org.hamcrest

This implies that some packages may get a new version even though they have not changed (nor their dependencies). I don't think this violates semantic versioning.

Benefits I see is that:

• Users can use a single version to monitor and upgrade
• All users likely to use the same combination of libraries

Drawbacks:

• Users using just one out of many libraries might be notified about an "update" though the package to download has not changed
• If many users use just a sub-package, then all bug reports for one version are equally for a range of versions, which is difficult to track. Reverting to the previous "different" version to avoid a bug becomes more complex.

Answer 1

One alternative to single-versioning is to use a BOM (Bill-of-materials). Different concepts of BOMs exist:

• A BOM can list several dependencies to include in their versions (e.g. Linux apt Meta-packages)
• A BOM can define versions (and other restrictions) for dependencies to be used if the dependency is included (e.g. Java Maven dependencyManagement section of BOM)

The BOM allows to declare which configuration(combination) of library-versions have been tested together, and allows separate groups of users to all use the same configuration, helping with bug reports and reproducibility.

Not all software distribution and buildsystems support the BOM concept equally well, though.