Dependabot selects incorrect prerelease version for Go
stefanvanburen opened this issue · comments
Is there an existing issue for this?
- I have searched the existing issues
Package ecosystem
Go
Package manager version
go version go1.22.4
Language version
1.22.4
Manifest location and content before the Dependabot update
https://github.com/bufbuild/buf/blob/e54a2e87034b1679a7117e85c94534bb224a611b/go.mod#L8
dependabot.yml content
Updated dependency
buf.build/gen/go/bufbuild/registry/protocolbuffers/go
, from 1.34.1-20240606161333-696c2cfeae8c.1
to 1.34.2-20240610164129-660609bc46d3.1
. (see bufbuild/buf#3084)
What you expected to see, versus what you actually saw
It should bump from 1.34.1-20240606161333-696c2cfeae8c.1
to 1.34.2-20240610164129-660609bc46d3.2
(note the final .2
). Instead, it bumped from 1.34.1-20240606161333-696c2cfeae8c.1
to 1.34.2-20240610164129-660609bc46d3.1
(note the final .1
).
Native package manager behavior
It selects the correct version:
$ go get -u buf.build/gen/go/bufbuild/registry/protocolbuffers/go@latest
go: downloading buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240610164129-660609bc46d3.2
go: downloading buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240401165935-b983156c5e99.2
go: upgraded buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.1-20240508200655-46a4cf4ba109.1 => v1.34.2-20240401165935-b983156c5e99.2
go: upgraded buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.1-20240606161333-696c2cfeae8c.1 => v1.34.2-20240610164129-660609bc46d3.2
I believe that under the covers, Go modules use the x/mod/semver
package, which compares these versions correctly: https://go.dev/play/p/HBimGqCMLPJ
Images of the diff or a link to the PR, issue, or logs
Smallest manifest that reproduces the issue
No response
FWIW, I think what may be going on is that the .split
on the prerelease is only assigning the initial section of the version to @prerelease
; the .split
should probably be limited to only two components, so it's ensured to get everything after the initial -
.
irb(main):002:0> version, prerelease = "1.2.3-20201021035429-234234.1".split("-")
=> ["1.2.3", "20201021035429", "234234.1"]
irb(main):003:0> version
=> "1.2.3"
irb(main):004:0> prerelease
=> "20201021035429"
irb(main):007:0> version, prerelease = "1.2.3-20201021035429-234234.1".split("-", 2)
=> ["1.2.3", "20201021035429-234234.1"]
irb(main):008:0> prerelease
=> "20201021035429-234234.1"