search

hashicorp / go-version

A Go (golang) library for parsing and verifying versions and version constraints.
https://pkg.go.dev/github.com/hashicorp/go-version
Mozilla Public License 2.0
1.61k stars 149 forks source link

Invalid semver versions are treated as "valid" #106

Open radeksimko opened 1 year ago

radeksimko commented 1 year ago

As discovered by @rclark

The semver spec is clear that build or prerelease identifiers MUST come after a -.

Versions, such as the following

1.2.-3
1.2.03
1.2
1.2.3.4.5.6
1.2.3.alpha
1.2.3-preview.01
1.2.3-preview..1
1.2.3-preview!
1.2.3+one+two
1.2.3+one.2!

are treated as "valid". I intentionally put valid in quotes because it's clear that the internal representation of such a version is wrong anyway. All the consumer can reliably do with that parsed version is to call String() on it to reconstruct the same (invalid) version. https://go.dev/play/p/hyp8ZZJQO8-

The Readme of go-version explicitly says

Versions used with go-version must follow SemVer.

Therefore I would treat this as a bug.

jspdown commented 10 months ago

I recently compared the regular expression used by go-version with the one proposed on semver.org

And I confirm there are many false positive: go-version: https://regex101.com/r/KP9LZN/1 semver.org: https://regex101.com/r/Ly7O1x/3/