We regularly update our dependencies, and in some cases, these updates contain breaking changes in the scanner. For example, gitleaks had a major rewrite which we are currently tracking in #830. Once this is merged into SCB, old scan definitions for gitleaks in SCB will stop working.
According to semver, we would have to do a major version bump every time we have backwards-incompatible changes. However, if we do this, we will reach Chrome-level version numbers very quickly, and it is unnecessary to bump the major version every time any dependency (that may not be used by many people anyway) has a breaking change - this would, in fact, dilute the utility of having major version changes signify that you need to pay attention to what is happening.
Instead, I propose that we add a new label for PRs, something like "breaking-dependency" or something similar (don't really like that name, but maybe someone has a better idea). This label is applied to every scanner update that requires people using them to pay attention and read the patch notes. They would be highlighted in a special place at the top of the release notes.
Proposal in TODO form:
We regularly update our dependencies, and in some cases, these updates contain breaking changes in the scanner. For example, gitleaks had a major rewrite which we are currently tracking in #830. Once this is merged into SCB, old scan definitions for gitleaks in SCB will stop working.
According to semver, we would have to do a major version bump every time we have backwards-incompatible changes. However, if we do this, we will reach Chrome-level version numbers very quickly, and it is unnecessary to bump the major version every time any dependency (that may not be used by many people anyway) has a breaking change - this would, in fact, dilute the utility of having major version changes signify that you need to pay attention to what is happening.
Instead, I propose that we add a new label for PRs, something like "breaking-dependency" or something similar (don't really like that name, but maybe someone has a better idea). This label is applied to every scanner update that requires people using them to pay attention and read the patch notes. They would be highlighted in a special place at the top of the release notes.
Proposal in TODO form: