Giters

dependabot / dependabot-core

🤖 Dependabot's core logic for creating update PR's.

Home Page:https://docs.github.com/en/code-security/dependabot

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Dependabot selects incorrect prerelease version for Go

stefanvanburen opened this issue · comments

commented

Is there an existing issue for this?

  • I have searched the existing issues

Package ecosystem

Go

Package manager version

go version go1.22.4

Language version

1.22.4

Manifest location and content before the Dependabot update

https://github.com/bufbuild/buf/blob/e54a2e87034b1679a7117e85c94534bb224a611b/go.mod#L8

dependabot.yml content

https://github.com/bufbuild/buf/blob/e54a2e87034b1679a7117e85c94534bb224a611b/.github/dependabot.yml#L11-L23

Updated dependency

buf.build/gen/go/bufbuild/registry/protocolbuffers/go, from 1.34.1-20240606161333-696c2cfeae8c.1 to 1.34.2-20240610164129-660609bc46d3.1. (see bufbuild/buf#3084)

What you expected to see, versus what you actually saw

It should bump from 1.34.1-20240606161333-696c2cfeae8c.1 to 1.34.2-20240610164129-660609bc46d3.2 (note the final .2). Instead, it bumped from 1.34.1-20240606161333-696c2cfeae8c.1 to 1.34.2-20240610164129-660609bc46d3.1 (note the final .1).

Native package manager behavior

It selects the correct version:

$ go get -u buf.build/gen/go/bufbuild/registry/protocolbuffers/go@latest
go: downloading buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.2-20240610164129-660609bc46d3.2
go: downloading buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240401165935-b983156c5e99.2
go: upgraded buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.1-20240508200655-46a4cf4ba109.1 => v1.34.2-20240401165935-b983156c5e99.2
go: upgraded buf.build/gen/go/bufbuild/registry/protocolbuffers/go v1.34.1-20240606161333-696c2cfeae8c.1 => v1.34.2-20240610164129-660609bc46d3.2

I believe that under the covers, Go modules use the x/mod/semver package, which compares these versions correctly: https://go.dev/play/p/HBimGqCMLPJ

Images of the diff or a link to the PR, issue, or logs

bufbuild/buf#3084

Smallest manifest that reproduces the issue

No response

commented

FWIW, I think what may be going on is that the .split on the prerelease is only assigning the initial section of the version to @prerelease; the .split should probably be limited to only two components, so it's ensured to get everything after the initial -.

irb(main):002:0> version, prerelease = "1.2.3-20201021035429-234234.1".split("-")
=> ["1.2.3", "20201021035429", "234234.1"]
irb(main):003:0> version
=> "1.2.3"
irb(main):004:0> prerelease
=> "20201021035429"
irb(main):007:0> version, prerelease = "1.2.3-20201021035429-234234.1".split("-", 2)
=> ["1.2.3", "20201021035429-234234.1"]
irb(main):008:0> prerelease
=> "20201021035429-234234.1"