search

liquidz / antq

Point out your outdated dependencies.
Other
394 stars 22 forks source link

Returning the wrong version when using :type :git-tag-and-sha #213

Closed rafaeldelboni closed 1 year ago

rafaeldelboni commented 1 year ago

When using outdated-deps passing dependencies that are listed with git tag/sha it is returning the wrong version or no update

Case 1

Wrong version

Reproduce

(antq.api/outdated-deps
 {'org.clojure/clojurescript
  {:git/url "https://github.com/clojure/clojurescript.git"
   :tag "r1.11.57"
   :sha "e4ff22f"}})

; return =>

({:name "org.clojure/clojurescript",
  :file "",
  :extra
  {:url "https://github.com/clojure/clojurescript.git",
   :sha "e4ff22f"},
  :type :git-tag-and-sha,
  :repositories
  {"central" {:url "https://repo1.maven.org/maven2/"},
   "clojars" {:url "https://repo.clojars.org/"}},
  :changes-url
  "https://github.com/clojure/clojurescript/blob/r3308/changes.md",
  :project :clojure,
  :latest-version "r3308",
  :latest-name nil,
  :version "r1.11.57"})

Expected

Return the latest version at the moment writing this issue: https://github.com/clojure/clojurescript/releases/tag/r1.11.60

Case 2

Says that the current version is the latest, but is not the case

Reproduce

(antq.api/outdated-deps
 {'lilactown/helix
  {:git/url "https://github.com/lilactown/helix.git"
   :sha "3ce634f16e86700ecc9cc1b091924bc327440c36"
   :tag "0.1.9"}})

; return =>

()

Expected

Return the latest version at the moment writing this issue: https://github.com/lilactown/helix/releases/tag/0.1.10

liquidz commented 1 year ago

@rafaeldelboni Thanks for your reporting! Those repositories are containing tags that are not semantic versioning and therefore do not return results correctly.

In git tags, strings other than version numbers may be included, so in antq, they are excluded from comparison. https://github.com/liquidz/antq/blob/0a6ce331cc2dc74ed8e415631eaa69a3e4de153d/src/antq/util/ver.clj#L17-L19

Therefore, if a tag name contains numbers, they are used to determine which one is the latest version. As a result, if there are some non-semantic versioning tag names mixed in with semantic versioning tags, the result tends to be incorrect.

Currently, there is no process to exclude just the non-semantic versioning tags, so excluding the relevant version may be a workaround.

(outdated-deps
 {'lilactown/helix
  {:git/url "https://github.com/lilactown/helix.git"
   :sha "3ce634f16e86700ecc9cc1b091924bc327440c36"
   :tag "0.1.9"}}
 {:exclude ["lilactown/helix@will/hf021120"]}))

However, in the case of ClojureScript, there are many versions to exclude, so it is necessary to find a way to specify a version range.

(outdated-deps
 {'org.clojure/clojurescript
  {:git/url "https://github.com/clojure/clojurescript.git"
   :tag "r1.11.57"
   :sha "e4ff22f"}}
 ;; THIS IS EXAMPLE. NOT WORKING FOR NOW.
 {:exclude ["org.clojure/clojurescript@r3*"]})

We are currently discussing and implementing this in #212, but since it assumes semantic versioning for exclusions, it doesn't seem to fit this case well.

As mentioned above, git tags tend to include extra strings that can affect the results, so it is better to use the ones deployed to the Maven repository.

rafaeldelboni commented 1 year ago

Thanks for the clarification!

As mentioned above, git tags tend to include extra strings that can affect the results, so it is better to use the ones deployed to the Maven repository.

Unfortunately, I have a very niche necessity that I need to download all my deps using git, but I completely understand that I'm using your tool "wrong".

I was thinking about this "problem" and had an idea, would it be possible to add a new option like :sort-tags-by-date true, get tags metadata using git log --tags --simplify-by-decoration --pretty="format:%ci %d", and sort tags using this information instead of the tag name?

(Sorry if this is a completely dumb question, didn't look at antq source code yet.)

liquidz commented 1 year ago

@rafaeldelboni

I was thinking about this "problem" and had an idea, would it be possible to add a new option like :sort-tags-by-date true, get tags metadata using git log --tags --simplify-by-decoration --pretty="format:%ci %d", and sort tags using this information instead of the tag name?

For now, there are no plan to implement the sort-tags-by-date feature, as it is too specific to git tags.

On the other hand, I'm considering to add a feature to check for versions which is up-to-date but have an older release date. In this case, I might store the release date of each version in the Dependency records. (I hadn't registered this as an issue, so I created one: #214)

If this feature is implemented, you should be able to access the tag dates via the API, and users are free to sort by them. But, the current antq.api/outdated-deps only returns outdated dependencies, so we may need an API that returns a list of dependencies before checking if they are outdated (e.g., fetch-deps).

rafaeldelboni commented 1 year ago

Thanks, I've subscribed to the new issue you mentioned I will close this issue for now.