1.20.0 should have been versioned as a breaking change

[ariddlestone]

We compose this library into our project via another library, but essentially our version constraint is ^1.18. This should prevent breaking changes, as it only allows minor updates.

However, deployments recently have stopped working, because we have updated to 1.20.0, which it turns out dropped support for MongoDB 3.6 (which Azure Cosmos DB masquerades as):

This release drops support for MongoDB 3.6. A future release will drop support for PHP 7.4 and 8.0.

Dropping support for a MongoDB version should be considered an incompatible API change, so the version of this release should have been 2.0.0. Composer relies on following semver.org guidelines:

Given a version number MAJOR.MINOR.PATCH, increment the:

1. MAJOR version when you make incompatible API changes
2. MINOR version when you add functionality in a backward compatible manner
3. PATCH version when you make backward compatible bug fixes

Could you consider releasing a version 2.0.0 from the same commit, and adding a new 1.20.1 release which reverts the changes, so that other people using your library doesn't find they are hitting the same issues? The sooner this is done the fewer people it will affect.

[alcaeus]

There are a couple of points to consider here. First of all, the API is still compatible, i.e. we did not remove any methods, classes, or anything else you may have been using. What we did drop is connecting to a server version that has been unsupported for more than three years after announcing we'll do so, which we've done in multiple previous instances.

The second point is that you are relying on a transitive dependency here. You're depending on the Laravel integration, which in turn depends on the MongoDB driver. We are currently working on a 2.0 version of the driver, with the goal of having the Laravel integration support both 1.21+ and 2.0 at the same time. As long as there are no breaking API changes in the Laravel integration itself, this change will be released in a minor version according to SemVer guidelines. Extending from this thought, even if we had released this as part of a 2.0 release, we would still most likely have released a new minor version of the Laravel integration that works with this 2.0 release. Unless you had an explicit constraint on the driver itself, your problem would not have changed.

Furthermore, I'll note that MongoDB 3.6 was end-of-lifed in April 2021 in accordance with the MongoDB Software Lifecycle. Drivers support end-of-lifed server versions for 36 months, after which we may decide to drop support for them in order to remove legacy code and reduce maintenance. However, we do not consider this a breaking change, as we don't expect or recommend people are running a server version that has not received any support or security updates for three years. We will continue to drop support for such outdated server versions in future minor versions, most likely with dropping support for MongoDB 4.0 sometime after April 2025.

Last but not least, I'll note that you are using CosmosDB. Since the driver you are using was written for MongoDB, we cannot give any guarantees or offer any support for your use case, and even within a minor version you may see breakage from using the driver with CosmosDB. For more information on this, I'll direct you to our documentation or compatibility page.

[ariddlestone]

Ok, fair enough.

I've updated our Dockerfile to use pecl install mongodb-1.19.1, and updated composer.json to require "ext-mongodb": "1.19.1", which in turn successfully limits which versions of various mongodb/* libraries are installed.

I would say that it's a little awkward for there to be no composer package in the mongodb space which has a major update when version support is dropped. For some of our systems changing the version of an external database is not an option, and obviously when we set out using a library to access them we don't know which minor version in the future is going to drop support. This makes keeping libraries up to date much more effort, but I guess depending on a PECL library means we kind of have this problem in the Dockerfile already.

Anyway, thanks for your help @alcaeus.

Also, sorry about the multiple tickets - my colleague and I hit the issue at the same time from different angles, both checked there wasn't a ticket already before raising one, but didn't realise each other were doing the same.

Thanks again.