1. 0.y.z packages are highly prevalent, contributing to 90% of packages in some distributions even though documentation states they are for initial development.
2. It generally takes a few months for packages to reach ≥1.0.0 but 20% take over a year, suggesting packages get stuck in 0.y.z.
3. 0.y.z packages are updated slightly more frequently but the difference is negligible, and there is little practical difference in how 0.y.z and ≥1.0.0 packages are used.
How magic is zero? An Empirical Analysis of Initial Development Releases in Software Package Distributions
1. How Magic Is Zero?
An Empirical Analysis of Initial Development Releases
in Software Package Distributions
Software Engineering Lab
Faculty of Sciences
Alexandre Decan Tom Mens
3rd International Workshop on Software Health – July 2020
secoassist.github.io
2. SoHeal 2020 - How Magic Is Zero?
0.2
Software package distributions
• Tens of thousands of interdependent package releases
• Distributed through dedicated package managers
• Ecosystem-specific versioning and release policies
12/2018 Cargo npm Packagist
language Rust JavaScript PHP
packages 21K 880K 141K
releases 113K ~6M ~1M
dependencies 433K ~27M ~3M
3. Semantic versioning of package releases
Most
permissive
Most
Restrictive
major minor patch
3 9 2
Breaking
changes
Backwards
compatible
changes
Bug fixes
0.3
SoHeal 2020 - How Magic Is Zero?
Version number mainly used to signal backwards compatibility
Dependent packages can use constraints to remain up-to-date
4. SoHeal 2020 - How Magic Is Zero?
0.4
Packages with major version 0
Packages have different levels of maturity
Popular convention:
0.y.z initial development releases
≥ 1.0.0 stable and production-ready releases
How Magic is 0?
5. SoHeal 2020 - How Magic Is Zero?
0.5
Zero can be misleading
0.y.z
« not production-ready » ?
axios
version 0.19.2
42 releases
946 commits
>200 contributors
~10M weekly downloads
36K dependent npm packages
Used by 2.6M GitHub projects
≥1.0.0
« mature and stable » ?
zerokit-web-sdk
version 4.0.6
5 releases
16 commits
single developer
no longer maintained…
6. SoHeal 2020 - How Magic Is Zero?
0.6
Zero can be confusing
Semantic versioning
« Major version zero is for initial development. Anything may change at any time.
The public API should not be considered stable. »
Cargo
« Cargo bakes in the concept of Semantic Versioning, so make sure you follow
some basic rules: 1. Before you reach 1.0.0, anything goes, but if you make
breaking changes, increment the minor version. »
NPM (node-semver)
« Many authors treat a 0.x version as if the x were the major ‘’breaking change’’
indicator. »
Packagist
« The ^ operator […] sticks closer to semantic versioning, and will always allow
non-breaking updates. […] For pre-1.0 versions it also acts with safety in mind
and treats ^0.3 as ≥0.3.0 <0.4.0. »
Ecosystem-specific rules, policies and conventions for 0.y.z releases
7. SoHeal 2020 - How Magic Is Zero?
0.7
Zero can be confusing
What Do Package Dependencies Tell Us about Semantic Versioning?
A Decan, T Mens (2019) IEEE Transactions on Software Engineering
8. SoHeal 2020 - How Magic Is Zero?
0.8
Zero can be magical
Maintainers of npm even recommend to avoid 0.y.z since
« semver spec is weirdly magical about 0.y.z versions, and we cannot ever hope to
get everyone to believe what the correct interpretation of 0.y.z versions are »
Magic zero even gave rise to the satirical 0-ver versioning policy
« Your software’s major version should never exceed the first and most important
number in computing: zero » — https://0ver.org/
« An easily spottable plague of an absolute majority of Haskell packages is that they get stuck in the
0.x.x version space, thus forever retaining that “beta” feeling even if the package’s API remains stable
for years and has dependencies counted by thousands » — Haskell subreddit
… even if documentation states that
« Packages with a zero major version provide the same contractual guarantees as
versions released with a non-zero major version »
9. SoHeal 2020 - How Magic Is Zero?
0.9
How magic is zero?
1. How prevalent are 0.y.z package releases?
2. How long does it take for a package to reach a ≥1.0.0 release?
3. Are 0.y.z releases updated more frequently than ≥1.0.0 releases?
4. Are 0.y.z package releases used by other packages?
5. How permissive are dependency constraints towards 0.y.z releases?
10. SoHeal 2020 - How Magic Is Zero?
0.10
How prevalent are 0.y.z packages?
evolution of the number of packages with latest release 0.y.z
Many 0.y.z packages
• 9 out of 10 in Cargo
• 1 out of 3 in npm
• 1 out of 5 in packagist
≥ 90% of them were active in 2018!
11. SoHeal 2020 - How Magic Is Zero?
0.11
How long does it take to reach ≥1.0.0?
Not all packages have a ≥1.0.0 release: For those who do:
• A majority of them took a few months and a few
updates
• One out of five took more than one year
• One out of ten took even more than two years
« packages get stuck in the 0.y.z version space »
Less than one out of ten packages
went from 0.y.z to ≥1.0.0
12. SoHeal 2020 - How Magic Is Zero?
0.12
Are 0.y.z releases updated more frequently?
average time between consecutive releases
0.y.z packages are updated slightly more frequently than ≥1.0.0
statistically confirmed but small to negligible effect size
« major version zero is all about rapid development »
13. SoHeal 2020 - How Magic Is Zero?
0.13
Are 0.y.z releases used by other packages?
Many 0.y.z packages are required
by ≥ 1.0.0 packages.
« if your software is used in production, it should probably already be 1.0.0 »
« if you have a stable API on which users have come to depend, you should be 1.0.0 »
« anything may change at any time [and] the public API should not be considered stable »
Many ≥1.0.0 packages are relying
on 0.y.z packages.
14. SoHeal 2020 - How Magic Is Zero?
0.14
How permissive are dependency constraints
towards 0.y.z packages?
« Major version zero (0.y.z) is for initial development. Anything may change at any time.
The public API should not be considered stable. »
proportion of dependency constraints accepting
at most patches, minor or major releases
Dependencies on 0.y.z packages assume patches to be compatible.
→ more permissive than semver!
15. SoHeal 2020 - How Magic Is Zero?
0.15
Summary
1. How prevalent are 0.y.z packages?
0.y.z are prevalent in all three considered distributions, even contributing to 90% of all packages in Cargo
2. How long does it take for a 0.y.z package to reach a ≥1.0.0 release?
Packages get stuck in the 0.y.z version space; only 10% went to ≥1.0.0
It generally takes a few months, but ~20% took more than a year
3. Are 0.y.z releases updated more frequently than ≥1.0.0 releases?
Slightly more, but statistical difference is small to negligible
4. Are 0.y.z package releases required by other packages?
No practical difference between 0.y.z and ≥1.0.0.
5. How permissive are dependency constraints towards 0.y.z packages?
Packages adopt a policy that is more permissive than semver
Backwards compatibility is assumed for patches in 0.y.z
16. SoHeal 2020 - How Magic Is Zero?
1.0
Conclusions
• The popular belief that 0 versions are for initial development does not appear true.
We observed little difference between how 0.y.z and ≥1.0.0 releases behave in practice.
• Versioning rules and conventions are confusing,
reinforcing the artificial psychological barrier of the 1.0.0 release.
• Semver is not strictly followed by the package maintainers
→ this deviation should be made explicit
→ the semver policy should be adapted
• There is no fundamental reason to consider that 0.y.z releases do not fulfil the same
contracts or promises as ≥1.0.0 releases.