Semver 2.0 versions not handled correctly for nuget pre-release dependencies #1972
Comments
|
I just hit a variant of this: |
|
A quick look at the relevant Dependabot source confirms that the prerelease part of the version is still compared lexically, without considering dot separated identifiers consisting of only digits that should be compared numerically: prerelease_string.<=>(other_prerelease_string) |
|
Any updates on this? (we had this happen again recently - Particular/NServiceBus.Callbacks#198) |
|
and again - Particular/NServiceBus.AmazonSQS#807, Particular/NServiceBus.AmazonSQS#808, Particular/NServiceBus.AmazonSQS#809 Is there any likelihood of this being prioritised? This behaviour is killing the entire purpose of dependabot. |
|
This keeps biting again and again and again. Is there any intention of fixing it? |
|
Have the maintainers even acknowledged that the problem exists? I noticed that it has not been marked as a bug, like other issues have — https://github.com/dependabot/dependabot-core/issues?q=is%3Aissue+is%3Aopen+label%3A%22T%3A+bug+%F0%9F%90%9E%22 |
mctofu
added
L: dotnet:nuget
|
This keeps being a tad annoying... 😉 |
|
The fix for this is in v0.178.1 which is deployed internally now, so it shouldn't happen anymore! Thanks for your patience. |
When the bot open PRs for pre-releases the version parsing doesn't work properly for semver 2.0 versions.
Particular/NServiceBus.Gateway.Sql#34 shows this where
3.2.0-alpha.66is a higher version than3.2.0-alpha0014so no PR should have been created.The text was updated successfully, but these errors were encountered: