Protocol for semantic version patching: do you bump if dependencies bump?

Question

I have python project that has pinned dependencies. A bug was found in my package due to a bug in a third-party dependency. That dependency has released a patch that fixed the bug. However, according to semantic versioning, is it protocol to bump and release a version for every patch release of your pinned dependencies?

Answer 1

Yes, you should update your version number. At the very least you're changing your application in a fashion which could alter its behaviour (by utilising different dependency versions) and this needs to be communicated to your application/library users. It may be that you're quite confident that this is a safe change but there's always a possibility of a change.

If you're only talking about updating a pinned dependency, with no major no features added and no resulting API differences then you'll only be bumping your 'patch' version number - e.g. from v1.2.3 to v1.2.4. For each release with a new set of dependency pins you'll bump your patch version. Don't worry, you're not going to run out of version numbers ;)

If, on the other hand, you roll up the dependency pin updates with internal backwards-compatible feature changes then you'd bump the 'minor' version number (e.g. 1.2.3 -> 1.3.0), and if you're bundling it with non-backward compatible changes then you'd bump the major version number (1.2.3 -> 2.0.0).

http://semver.org/