Validate package versions
Summary
We should validate the package versions when a new package is persisted in the database.
Currently, there is a SemVer validation for NPM packages: https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/models/packages/package.rb#L34
Here is the current situation:
Package Type | Version field following | Validated in GitLab | Notes |
---|---|---|---|
Maven | Custom. See https://docs.oracle.com/middleware/1212/core/MAVEN/maven_version.htm#MAVEN8855 | Possible regexp: https://www.regextester.com/95087 | |
NPM | SemVer. See https://docs.npmjs.com/about-semantic-versioning | ||
NuGet | SemVer. See https://docs.microsoft.com/en-us/nuget/concepts/package-versioning#pre-release-versions | ||
Conan | Custom. See https://docs.conan.io/en/latest/versioning/introduction.html#version-ranges | Done in !29739 (merged) | |
PyPI | Custom. See https://www.python.org/dev/peps/pep-0440/ | MR: !35080 (merged) | |
Composer | Custom. https://getcomposer.org/doc/articles/versions.md#vcs-tags-and-branches | !46191 (merged) |
Improvements
- All package versions should be validated either using SemVer or whatever standard the package type is using.
Risks
- This validation will occur on package creation/update.
- There is a chance that some packages can't be pushed to the GitLab Package registry anymore.
- Existing packages shouldn't encounter any issue.
Involved components
Optional: Missing test coverage
- Improve
package_spec.rb
by adding examples for all package types. - Improve the test coverage for the component responsible for package creation/update.
Edited by Giorgenes Gelatti