Warn package authors when uploading a semver2 package through the web site #4239
Conversation
| <text> | ||
| Warning: This package has a SemVer2 package version. <br /> | ||
| <span style="font-weight: normal; font-style:italic;"> | ||
| This package will only be available for download with SemVer2-compatible NuGet clients, such as Visual Studio 2017 (version 15.3) and above or NuGet client 4.3.0 and above.<br /> |
There was a problem hiding this comment.
SemVer 2.0.0 instead of SemVer2
| var model = new VerifyPackageRequest | ||
| { | ||
| Id = packageMetadata.Id, | ||
| Version = packageMetadata.Version.ToFullStringSafe(), | ||
| OriginalVersion = packageMetadata.Version.OriginalVersion, | ||
| HasSemVer2Version = packageMetadata.Version.IsSemVer2, |
There was a problem hiding this comment.
Can we reuse the code at
?By doing that, we can reduce the model to just having a IsSemVer2 property, and remove any duplication of this code.
There was a problem hiding this comment.
Please note that the message is different when the package has a semver2 version itself, or only has a semver2 package dependency.
There was a problem hiding this comment.
I see the value from technical point of view to reuse the SemVerLevelKey class to determine IsSemVer2. However, I also see value in really being able to point the author to exactly what piece of metadata is causing the warning. We can only do that by distinguishing both scenarios. Would like to hear what @anangaur thinks about this one :)
There was a problem hiding this comment.
Oh I forgot about the message being different for the two different scenarios. Can we split the SemVerLevelKey.ForPackage method into two helper methods--HasSemVer2Version and HasSemVer2Dependency and then call those methods here?
| </span> | ||
| <br /> | ||
| <br /> | ||
| <input id="verifyUploadSubmit" type="submit" value="Submit" title="Verify Details & Submit" /> |
There was a problem hiding this comment.
Two things:
1 - I don't like that we have the HTML for this button in two places.
2 - I think it looks a little odd that the button is inside the alert. Additionally, we don't have any buttons inside other alerts.
I think we could resolve both of these issues by moving the button outside of the alert.
There was a problem hiding this comment.
I really really want to have this warning as much in the way as possible so authors have to read it..
There was a problem hiding this comment.
Moving the button out of the warning banner. Seems in your face enough indeed. As long as it is close to the actionable button of this page so authors can't just skip it "by accident" :)
There was a problem hiding this comment.
Yea I didn't want to move the warning away--I like it right next to the button--but I just wanted to move the button out of the yellow. Looks great!
|
Ping @anangaur |
|
I agree we should make a differentiation. And this differentiation should be conistent across sever and client. The text needs some minor tweaks though and a Fwd link and I will be able to provide the same, later.
|
|
@anangaur about case 2b: I think what you describe there is what we understood to be a non-goal. There's no way we can detect that a dependency that would be resolved is semver2 for a given non-semver2 dependency version range. That would require analysis of all restore graphs, which is currently not taken into account to determine whether the package is semver2. So we can only detect two cases: 1 and 2a (or just 2 :)) |
|
Thanks for the reviews! Holding off until I receive final wording from @anangaur. |
|
@xavierdecoster I thought we can still figure out case 2b not for all dependencies but for 1st level. Atleast thats what I understood based on the discussions with @joelverhagen and @ryuyu Case 1: We should be able to detect PackageA is SemVer 2 as direct dependency is SemVer 2 Case 2: We cannot determine Package A to be SemVer 2 as the dependency is deeper than 1 level. Here PackageC is dependent on a SemVer package and not PackageA directly. PackageA 1.0.0 |
|
@anangaur @joelverhagen @ryuyu let's have the discussion here, as hallway discussions don't make it across the ocean ;) So, we can indeed query case 1, but isn't that raising a warning on what may be a temporary situation? The nuspec itself does not contain any semver2 version or version range, and at any point in time, a semver2 package dependency that matches the minimum constraint may be listed or unlisted. e.g. we may not be raising the warning at upload time when the lowest package version matching the lowerbound is v2.0.1. A week later, 2.0.0+metadata is unlisted, still matching the constraint, turning this package suddenly into a semver2 package (and we didn't show a warning). The opposite may also be true: we warn about the package being semver2 when 2.0.0+metadata is the lowerbound best match, whilst it may be unlisted some time later and a semver1 package version becomes the best match for this lowerbound (and we displayed a warning that no longer makes sense). In both cases, the (lack of) warning may be experienced as inconsistent, whilst now we only take into account what is physically in the nuspec. I much prefer consistency and easy to understand warnings :) |
|
Correct me here, if I am misunderstanding something
Isn't 1. and 2b. the same described here? |
|
@shishirx34 rephrased (to how I understood it :))
|
|
@xavierdecoster thanks for rephrasing. The flip side of not reporting warning for 2b is that the publisher will be happy but the package will still end up being not compatible on the older clients. Now finding out the real issue here would be non-trivial for the publisher when this issue is reported. |
…button out of the warning banner for semver2
xavierdecoster
force-pushed
the
dev-issue4215
branch
from
3fd2eef
to
6307916
Compare
|
See my comment here on Case 3: #4215 (comment)
|
This PR is a proposal we can start working from. Awaiting final wording from @anangaur.
I'd suggest to have the warning as close as possible to the submit button to ensure maximum visibility (people don't always read messages at the top of the page).
When a package has a semver2 version itself:
When a package has a non-semver2 version, but is considered semver2 due to a dependency declaration: