Lost in Zero Space -- An Empirical Comparison of 0.y.z Releases in Software Package Distributions

TL;DR

This paper empirically analyzes 0.y.z package releases across four open source distributions, revealing that version numbers often do not accurately reflect package maturity or stability, challenging common assumptions.

Contribution

It provides a comprehensive empirical comparison of 0.y.z and >=1.0.0 releases, highlighting discrepancies between versioning and actual package maturity.

Findings

Many 0.y.z releases are mature and stable.

Package distributions often violate semantic versioning rules.

Version numbers are poor indicators of package maturity.

Abstract

Distributions of open source software packages dedicated to specific programming languages facilitate software development by allowing software projects to depend on the functionality provided by such reusable packages. The health of a software project can be affected by the maturity of the packages on which it depends. The version numbers of the used package releases provide an indication of their maturity. Packages with a 0.y.z version number are commonly assumed to be under initial development, suggesting that they are likely to be less stable, and depending on them may be considered as less healthy. In this paper, we empirically study, for four open source package distributions (Cargo, npm, Packagist and RubyGems) to which extent 0.y.z package releases and >=1.0.0 package releases behave differently. We quantify the prevalence of 0.y.z releases, we explore how long packages remain in the initial development stage, we compare the update frequency of 0.y.z and >=1.0.0 package releases, we study how often 0.y.z releases are required by other packages, we assess whether semantic versioning is respected for dependencies towards them, and we compare some characteristics of 0.y.z and >=1.0.0 package repositories hosted on GitHub. Among others, we observe that package distributions are more permissive than what semantic versioning dictates for 0.y.z releases, and that many of the 0.y.z releases can actually be regarded as mature packages. As a consequence, the version number does not provide a good indication of the maturity of a package release.