Paket.lock - include patch versions when omitted by Paket #645
Conversation
Signed-off-by: Robert Liias <robert.liias@napa.fi>
| // Include patch version when not set by Paket | ||
| function formatVersion(version) { | ||
| if (version.split(".").length == 2) { | ||
| return version + ".0"; |
There was a problem hiding this comment.
If this is a bug in paket we need to file a ticket against the the package manager. Or if it is a feature we need to faithfully retain the version as is and let the downstream tools handle the versions.
There was a problem hiding this comment.
Instead of being a bug, this just seems to be how Paket formats the versions in lock files by leaving out the "unnecessary" patch version of 0. I don't see including it in the BOM as a huge issue though since version 1.0 === 1.0.0 etc. Just provides more accuracy and follows NuGet's versioning.
This also impacts the metadata/license information provided by the tool. We can't find an exact version match from the api calls for versions lacking the patch number. But if including it in the BOM is not possible, the nuget-semver package from #646 could maybe be used to determine version equality between X.Y and X.Y.0.
Please feel free to suggest other solutions as well if keeping the package is not possible either as discussed. It would be nice if we could gather the licenses also for these packages lacking the patch version number.
There was a problem hiding this comment.
I understand. I am okay with appending this during license detection. The semver coerce method must handle this case, so worth a test. However, the final BOM should faithfully use the same version provided by paket to avoid confusion. Tools like depscan can already handle these sort of mismatches.
|
@robaliias Is this PR required now that we have #646 ? |
|
No, this is no longer needed. Fixed in #646. |
Add .0 patch versions to the BOM when Paket omits them from the lockfile. Improves querying licesense information, and version handling in Dependency-Track.