Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No validation of version number mismatches between .nuspec and .psd1 #55

Open
neilalexander opened this issue Apr 1, 2019 · 5 comments
Open

No validation of version number mismatches between .nuspec and .psd1 #55

neilalexander opened this issue Apr 1, 2019 · 5 comments
Labels
enhancement

Comments

@neilalexander
Copy link

I'm running into more and more packages where the version number in the .nuspec file does not match the version number in the .psd1 of the module. This is bad.

A small handful of examples:

This causes problems with software like ProGet as I guess ProGet can only depend upon the .nuspec version number as it applies to the entire NuGet package.

I don't know whether ProGet plays a specific part in this problem but I don't believe that ProGet reading the package version number from the .nuspec file is unreasonable.

As a result, when a package is installed from a ProGet repository onto a Windows machine, it ends up in the wrong location, e.g.

C:\Program Files\WindowsPowerShell\Modules\SqlServerDsc\12.2.0

... where the .psd1 actually says 12.2.0.0. Then PowerShell refuses to load the module because it believes the manifest is incorrect.

I feel that it is a bug that PowerShellGallery allows packages to be uploaded with obvious version mismatches in the metadata like this.

It should either prevent the upload with a very clear warning or update the .nuspec file to match the version as specified in the .psd1 file.
@neilalexander
Copy link
Author

In addition, Artifactory is affected by this problem in the same way that Proget is.

@edyoung
Copy link
Contributor

edyoung commented Apr 2, 2019

The .nuspec is generated from the.psd1 by publish-module. I believe you are seeing https://github.com/PowerShell/PowerShellGet/issues/416, please close as a duplicate if you disagree and clarify if the issue is actually different. Thanks!

@Benny1007
Copy link

Benny1007 commented Apr 2, 2019
edited

the problem is with the nuget pack command and normalization noted here: https://docs.microsoft.com/en-us/nuget/reference/package-versioning#normalized-version-numbers

hence even with 12.2.0.0 in the psd1 AND in a .nuspec, on a nuget pack 12.2.0.0 is treated as 12.2.0 and the metadata version field in the resulting packages nuspec gets updated to 12.2.0.

There is plenty of discussion here:-
NuGet/Home#3050 but it doesn't look like it's getting resolved anytime soon 👎

@neilalexander
Copy link
Author

This does look to be the root of the problem, but in my mind the fact that PowerShellGallery doesn’t validate and actually allows those packages to be uploaded with mismatching metadata is a separate bug that stands on its own.

It’s just as possible that there are, or may be in the future, other authoring tools out there which might produce similar issues. Therefore I’d like to keep this bug open as PowerShellGallery really should guard against that.

@neilalexander neilalexander mentioned this issue Apr 2, 2019
Open
@ThomasNieto ThomasNieto mentioned this issue May 29, 2019
Open
@psychonic psychonic mentioned this issue Jun 26, 2019
Closed
@rrelyea
Copy link

rrelyea commented Sep 24, 2019

Is there somebody from powershell gallery that could engage with the nuget team to discuss the variety of options to fix this?

@SphenicPaul SphenicPaul mentioned this issue Dec 30, 2019
Closed
@barkz barkz mentioned this issue Aug 3, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@edyoung @neilalexander @rrelyea @Benny1007 @SydneyhSmith