semver v3 regex is more inclusive than the official semver.org regex

Masterminds / semver

Work with Semantic Versions in Go

MIT License

1.21k stars 151 forks source link

semver v3 regex is more inclusive than the official semver.org regex #211

Open oshirohugo opened 1 year ago

oshirohugo commented 1 year ago

The official Semantic Versioning website has a suggested regex. Which is different from the one used in semver v3 https://github.com/Masterminds/semver/blob/master/version.go#L42 The results of applying them is different: This is the official one: https://regex101.com/r/Ly7O1x/3/ This is the one from semver v3 applied to the same examples: https://regex101.com/r/LxcCgR/1

Shouldn't they be the same?

d0x7 commented 1 year ago

In my opinion, no, it should not be the same. As stated in the README, there is a StrictNewVersion and the more permissive NewVersion, which also allows things like v1 or v1.2 which are not strictly SemVer, but still ocurr often "in the wild".

In fact, I am very glad this library supports the more permissive one, as that's pretty much exactly what I need for a project. Now I only need to go from interval notations to this librarys format for comparing/validating versions and the more permissive NewVersion can handle the parsing and comparing :)

oshirohugo commented 1 year ago

Tks for your answer @d0x7 . Indeed StrictNewVersion is more restrictive, but still the following invalid versions are parsed without any errors:

1.1.2+.123
1.0.0-alpha..
1.0.0-alpha..1
1.0.0-alpha...1
1.0.0-alpha....1
1.0.0-alpha.....1
1.0.0-alpha......1
1.0.0-alpha.......1

For more details: Simple tests All of them are not valid according to the official regex test. So, I believe at least StrictNewVersion should reject these cases

mattfarina commented 2 weeks ago

StrictNewVersion should definitely reject these cases.

NewVersion is loose but should still reject invalid versions. So, there are bugs in that, too.