Invalid version string "8.x-1.x-dev" #671

composer / semver

Semantic versioning utilities with the addition of version constraints parsing and checking.

MIT License

3.15k stars 76 forks source link

Invalid version string "8.x-1.x-dev" #671 #124

Closed jderusse closed 3 years ago

jderusse commented 3 years ago

When analyzing a composer.lock file sent by customer, I discovered this package:

       {
            "name": "foo/bar",
            "version": "8.x-1.x-dev",
            "...": "truncated"
        }

When parsing the version, Semver throws an UnexpectedValueException.

note: This exception, is also thrown when running $composer->getLocker()->getLockedRepository() when the ArrayLoader is loading the package.

So, I wonder, if this is a legitimate version, and if we should patch Semver?

Seldaek commented 3 years ago

I suspect this is one of the few cases which composer/semver 2.x/3.x dropped support for by adding more strict validation. There were a few really broken constraints out in the wild that 1.x accepted but which make no sense. I don't think we want to add support again, this lock file needs fixing.

Latest composer/semver would treat this as dev-8.x-1.x if the branch name is 8.x-1.x. That should make it parseable. I hope this helps.

jderusse commented 3 years ago

thanks for the explanation