Semver behavior for dependency changes

If I increased the major version of one of the dependencies of my crate, do I need to bump the major version number or the minor version number of my crate?

Besides, I found in a previous post that,

How is 0.x version exactly handled in cargo? Do I need to bump the version of my crate if I bump the version of a dependency from 0.1 to 0.2?

I didn't find any rules about this scenario in the cargo book, so I put the question here, thanks in advance!

1 Like

First of all, if you bump the version of private dependency, this doesn't have any influence on your own version. It's just an implementation detail, and they can be changed in any version bump, including patches.
If you bump the version of public dependency (i.e. of something which appears in your API), however, that's the different story. In general, this change would be breaking, so you have to bump your own version too.

About 0.x in particular. In Semver, 0.x.y is treated as incompatible to 0.a.b, no matter the values for x, y, a and b (except the exact same versions, of course). In Cargo, 0.x.y is treated as compatible with 0.x.z, i.e., for 0.x versions, x is treated as a "effectively major", and it is expected that breaking changes will lead to its bump.
Together, this means that change from 0.1 to 0.2 in public API is generally breaking, as it would be in Semver; but change from 0.1.1 to 0.1.2, unlike Semver, is considered to be non-breaking.

5 Likes

To clarify private/public dependency: if in your crate you have pub use someothercate::SomeType that's visible to users, that makes it a public dependency. Similarly if you have a public function that takes or returns types from another crate, that makes it a public dependency. This is because in Rust/Cargo structs and enums are versioned, and structs from different major versions of the same crate are considered incompatible.

As for how 0.x works in Cargo: major version is the first non-zero number in the version, so 0.1.x and 0.2.x are as incompatible as 1.x.x and 2.x.x.

1 Like

Unless of course the version bump in the private dependency creates a
breaking change in your library.

For example, if you provide a strong guarantee that your library can be
used with Rust version 1.52, and the new private dependency has MSRV
1.56, then – depending on your policy re MSRV – you may need to do a
major version bump, too.

1 Like

Thanks for the explanation! It makes total sense for me, and should be included in the rust cargo book!