[RFC] Clarifying Semantic Versioning for OpenSearch Dashboards #9491
Comments
|
Makes sense: Is there a designated location we are planning where the public contract is documented and maintained? I see the SEMVER.md is an examples. What is the process for determining if a change affects the public contract? And can plugins proposed something is a public contract or will it be only maintainers that determine the public contract. Will there be a regular review on the public contract? For breaking changes as a maintainer, do we have a process? Should we get agreement among stakeholders or just maintainers that this breaking change makes sense? We should also label the PR with the breaking change label so it's easier to find these PRs at the time of major version release. Should we have policies on deprecation and timelines? Since we have a lot of long running deprecated stuff. |
|
i like the idea to remove treating npm/internal change as breaking About doc: regarding doc, we already using openapi to doc doc, we should continue to use it for all existing public api and new api About dependencies/interface about versioning Rules, while the rfc is aim to discuss Semantic Versioning for OSD, from content it is mainly focus on developer's view, while we should be open to bump up version for new feature and change that don't introduce any break change. |
@kavilla Yes we will have a single place where this is documented. I think as @seraphjiang mentioned, the openapi doc has already been started, we will need to add to that. We can also just specify for now in a api.md file what the API's are and link to the openAPI docs where it makes sense.
This will be defined in the semver.md file which requires approvals from maintainers before its changed
Thats not something i want to cover here. This is just to clarify the semantic versioning definition for OSD. The process to enforce it can come later. Lets make sure we agree on the definition first.
I have a section on that inthe RFC
Good callout. I can add that
I agree on following OpenSearches definitions. Opensearch also follows senver2.0. I just restated them given that we are discussing semver here. I can remove it too. As for the roadmap. I dont want to mix the conversations. I agree with the other proposal to allow different versions but that can happen independent of this change.
What version do you want us to be open about bumping up? That wasnt clear to me |
Is it intentional that this definition doesn't cover UI itself?
Is it always clear what is being consumed? Should default assumption be that it is consumed?
How are plugins bound by OSD's npm dependencies? In what situation will OSD fail to build when dependencies are mismatched. There's a tension that Plugins may depend on a npm package version for particular logic, but are at the same time bound to the same version that OSD uses. If OSD updates the package, it potentially could be problematic for the plugin, and while the plugin probably shouldn't have depended on that functionality, they also didn't really have a choice in the versioning. I think we should at least call this out as a risk for plugins, and would be good to understand how we can further mitigate (not clear on what packages this would be an issue for).
Extension points are code, right? They don't need to be called out from a UI perspective, right? Documented user experiences is quite broad. What does "documented" mean and what "changes to these behaviors" are considered breaking. Are we saying the functionality that is documented is breaking, but the UX can change? Is some amount of UX consistency expected? Agree that getting more specific per seraphjiang will help.
Saw you said we'd define later, but would be good to have a way to ensure correct calibration. |
Yes, The UI itself can be interpreted as literally any change on the UI even if it does not impact the user. By being explicit we make sure we leave ourselves freedom to fix the things that we think are good while also ensuring that things that we think should not change are explicitly written down and agreed upon.
We need to be explicit about whats consumed. Thats the goal of the SEMVER.md file i will raise if we agree to this. The default assumption is that its not consumed. Some basic defaults can be assumed to be consumed though like plugin start and setup menthds, exports, api. The rest are implicitly assumed not part of the public contract
I agree and this is the main reason we hesitated against updating dependencies. However what the last few years have thought us is that either we agree that this is an okay tradeoff to be on top of CVE's and other dependency related bottlenecks, or slow down or use hacky work arounds to build the features and fix CVE's (e.g. forking public npm repos and hostign them under our personal npm accounts). There my argument is for making the tradeoff for speed
Yeah let me get back on something more specific here. My intention was that there will be no change from how we treat UX changes right now. But how we treat it today is also a grey area. I will clarify this more
My idea here was to have essentially a tiered system of reviews for changes. A few core maintainers with different expertise's are required for breaking change reviews. Then we have area specific maintainers who's review is required for changes that impact that area. Smaller changes can be reviewed by any maintainer. Does this answer that question @kavilla @virajsanghvi ? |
How do we know something is consumed? Is consumption defined as consumed within opensearch-project? If its just best effort, it just brings into question the default assumption being not consumed.
That's fine, my main ask was just that we need to write this down and flesh it out. Even having tiers brings up the question of who assigns tiers. Fine not to do it as part of this RFC, but think we need it asap in order to be successful here. |
Summary
This RFC proposes a refined Semantic Versioning (SemVer) policy for OpenSearch Dashboards. It explicitly separates internal npm dependencies from the semver public contract, reduces the likelihood that internal changes will cause breaking version bumps, and provides examples illustrating when a dependency update affects the public API (and thus semver) versus when it does not.
Background
OpenSearch Dashboards currently treats many aspects of its platform—including npm dependencies, server APIs, and the UI—as part of its semver contract. In particular:
This broad interpretation of what counts as a semver-breaking change has made it difficult to address security fixes and internal improvements without triggering a major version increment.
Motivation
Proposal
1. Defining the Public Contract
Principle: A “public contract” is any interface or behavior that is:
Covered in official documentation or API references explicitly intended for external consumption (e.g., plugin APIs, server endpoints).
Declared stable and supported across releases unless a deliberate version bump is communicated.
Relied upon by third-party developers or users, such that any change would require them to alter their code or workflows.
Modifications would force external consumers to update their implementations or significantly change their usage patterns.
Public Contract Checklist
Ask these questions when determining if a change affects the public contract:
If all answers above are “yes,” changes to that interface are semver-breaking. Otherwise, the change can be classified as internal.
2. Excluding npm Dependencies from Semantic Versioning
Because of the coupled architecture, npm dependencies are often shared between OpenSearch Dashboards and its plugins, causing updates to affect plugin builds. This policy explicitly excludes npm dependency changes from semver unless they alter a documented, stable public interface.
Example: Upgrading from [email protected] to [email protected] to address a security fix. The plugin API or behavior doesn’t change, so this is not a breaking change.
Example: Migrating from lodash@4 to lodash@5 means that we cannot support a data plugin API that directly exposes a lodash API that changes with the version upgrade
Objective: Decouple the semver contract from routine npm dependency updates, so only true API/behavioral changes trigger a major version bump.
3. Versioning Rules
OpenSearch Dashboards adopts Semantic Versioning 2.0.0 with the following structure:
4. UI Versioning Considerations
While UI changes can sometimes be disruptive, the RFC distinguishes:
5. Deprecation Policy
To provide clarity on when features or interfaces will be removed:
6. Implementation Plan
Once this RFC is closed we can add a
SEMVER.mdfile in the repository to outline these rules, including the examples of internal vs. public changes.Feedback required
The feedback that this RFC is looking for is
The text was updated successfully, but these errors were encountered: