SemVer Compliance Check
Does the module keep the promise its version numbers make? We audit each package's release history to find out.
What Semantic Versioning promises
Semantic Versioning
is a contract encoded in the version number MAJOR.MINOR.PATCH:
- PATCH (1.2.3 → 1.2.4) — bug fixes only; nothing you rely on changes.
- MINOR (1.2.3 → 1.3.0) — new functionality, fully backward compatible.
- MAJOR (1.2.3 → 2.0.0) — breaking changes; you must review before upgrading.
When a module honors this contract, composer update
with a ^ constraint is safe.
When it doesn't, a "patch" release can silently break your store.
How we check it
We use semverdict, an open-source auditor built on Magento's official Semantic Version Checker engine. For the last 10 release pairs of each package it:
- downloads both releases from Packagist and diffs their entire public code surface,
- computes the version bump the changes actually required (patch, minor, or major),
- compares it with the bump the author actually shipped.
Each release pair gets a verdict:
| OK | The bump matches the changes exactly. |
| OVER | Bumped more than required (e.g. a major for a bug fix) — cautious, allowed. |
| VIOLATION | Bumped less than required — e.g. a breaking change shipped as a patch. |
| 0.x exempt | Under-bump within the 0.x range — the semver spec makes no stability promises there. |
| FAILED | The pair could not be compared (e.g. a release without a downloadable archive) — excluded from the score. |
The compliance percentage is
(OK + OVER + 0.x exempt) / (pairs − FAILED).
A package "Follows SemVer" when no audited pair is a violation. Every new release is re-audited automatically.
Why we don't use Magento's @api-only rules
Magento's own versioning policy only guarantees compatibility for classes and methods marked
@api. By that standard, removing or
changing any other public method would be "not a breaking change".
Developer reality disagrees. In Magento, every public method is an extension
point: plugins can intercept any public method of almost any class, and preferences can rewrite whole
classes — that is the platform's core customization mechanism, and real projects use it everywhere, far beyond
the @api surface.
So when a module changes a public method signature in a patch release, real stores break — regardless of what the annotation says. That's why our audit applies semantic versioning to the whole public code surface, the standard that reflects how modules are actually consumed.
The checker is open source:
github.com/jbrada/semverdict
— run docker run --rm jbrada/semverdict audit vendor/module on your own packages.