[NuGet.org Bug]: Deprecation API is case sensitive on package version

joelverhagen commented 3 weeks ago

Impact

I'm unable to use NuGet.org

Describe the bug

This was found when helping the Azure SDK team with a bug.

If the version included in the deprecation API request does not match the original version casing (e.g. 2.6.0-rc1 instead of 2.6.0-RC1) the request fails with a 404.

Repro Steps

Upload a package with version 2.6.0-RC1 version
Deprecate it via API using this request body:

{
  "versions": [
    "2.6.0-rc1"
  ],
  "isLegacy": "true"
}

Expected Behavior

This should succeed. Instead it returns 404.

PUT /api/v2/package/MyPackage/deprecations HTTP/1.1
Accept: application/json, */*;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 27
Content-Type: application/json
Host: localhost
User-Agent: HTTPie/3.2.3
X-NuGet-ApiKey: API_KEY

{
    "versions": [
        "2.6.0-rc1"
    ]
}

HTTP/1.1 404 At least one version of package 'MyPackage' specified could not be found.
Cache-Control: private, s-maxage=0
Content-Length: 90
Content-Security-Policy: frame-ancestors 'none'
Content-Type: text/html; charset=utf-8
Date: Wed, 30 Oct 2024 13:35:00 GMT
Server: Microsoft-IIS/10.0
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block

At least one version of package 'MyPackage' specified could not be found.

Screenshots

No response

Additional Context and logs

No response

erdembayar commented 1 week ago

@joelverhagen

Should we close this issue considering PR is merged?

joelverhagen commented 1 week ago

It hasn't deployed yet. I remember our process being to only close issues after they are verified in PROD.

NuGet / NuGetGallery