fix(deps): update semver to v3

[nkzk]

Description of your changes

Updates semver package to v3.
This adds support for properly detecting comma/space separated version constraint ranges - added test cases for this.

The casing in semver error messages has changed, which required me to also fix the "invalid semantic version"-test.

Background: Based on feedback in crossplane/crossplane#7050, I started to look if i can reuse pkg/xpkg, and see that this update would be needed anyway.

I have:

• Read and followed Crossplane's contribution process.
• Run ./nix.sh flake check to ensure this PR is ready for review.
• Added or updated unit tests.
• Linked a PR or a docs tracking issue to document this change.
• Added backport release-x.y labels to auto-backport this PR.

Need help with this checklist? See the cheat sheet.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a347fac6-edd3-4d5a-b6cf-592ca43d777d

📥 Commits

Reviewing files that changed from the base of the PR and between 3f87b9a and eab5047.

📒 Files selected for processing (1)

• pkg/version/version_test.go

✅ Files skipped from review due to trivial changes (1)

• pkg/version/version_test.go

---

📝 Walkthrough

Walkthrough

Imports updated to github.com/Masterminds/semver/v3 across code; tests extended to cover space-separated, comma-separated, and malformed semver constraint cases, and expected error casing adjusted.

Changes

Cohort / File(s)	Summary
Semver v3 Import Upgrade pkg/version/version.go, pkg/xpkg/client.go, pkg/xpkg/lint.go	Replaced imports from github.com/Masterminds/semver with github.com/Masterminds/semver/v3; retained existing semver API usage (types/functions) and behavior.
Test Coverage Enhancement pkg/version/version_test.go	Adjusted expected invalid-version error text/case and added three TestInRange cases: space-separated ranged constraint, comma-separated ranged constraint, and an invalid space-separated ranged constraint.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely describes the main change: updating the semver dependency to v3. It stays well under the 72-character limit and directly reflects the core objective of the changeset.
Description check	✅ Passed	The description is directly related to the changeset, explaining the semver v3 upgrade, the test updates for new constraint ranges, and the error message casing fix required by the new version.
Breaking Changes	✅ Passed	The PR updates the semver dependency import path from v0/v1 to v3 with no changes to public API signatures, types, or method contracts.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

pkg/version/version_test.go (1)

83-112: Consider adding caret (^) operator tests for 0.x constraints to document expected behavior.

The code uses Masterminds/semver/v3, where caret ranges for 0.x versions have specific semantics: ^0.2.3 expands to >=0.2.3 <0.3.0 and ^0.0.3 expands to >=0.0.3 <0.0.4. Adding a couple of test cases for these would make the compatibility expectations explicit—especially helpful since v3 changed caret behavior from earlier versions.

Would documenting the current behavior (v3 semantics) via tests work for this PR, or would you prefer to align with a different semver version's behavior?

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/version/version_test.go` around lines 83 - 112, Add two table-driven
tests in pkg/version/version_test.go to document Masterminds/semver v3 caret
semantics for 0.x: create a "CaretZeroMinor" case that uses constraint "^0.2.3"
and asserts that a version like "v0.2.5" is allowed and "v0.3.0" is not (i.e.
^0.2.3 => >=0.2.3 <0.3.0), and a "CaretZeroPatch" case that uses constraint
"^0.0.3" and asserts that "v0.0.3" is allowed but "v0.0.4" is not (i.e. ^0.0.3
=> >=0.0.3 <0.0.4); follow the existing test table pattern used by the other
cases (e.g., "ValidSpaceSeparatedRange", "CommaSeparatedRangedConstraint") so
the behavior is explicitly recorded.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/version/version_test.go`:
- Around line 83-112: Add two table-driven tests in pkg/version/version_test.go
to document Masterminds/semver v3 caret semantics for 0.x: create a
"CaretZeroMinor" case that uses constraint "^0.2.3" and asserts that a version
like "v0.2.5" is allowed and "v0.3.0" is not (i.e. ^0.2.3 => >=0.2.3 <0.3.0),
and a "CaretZeroPatch" case that uses constraint "^0.0.3" and asserts that
"v0.0.3" is allowed but "v0.0.4" is not (i.e. ^0.0.3 => >=0.0.3 <0.0.4); follow
the existing test table pattern used by the other cases (e.g.,
"ValidSpaceSeparatedRange", "CommaSeparatedRangedConstraint") so the behavior is
explicitly recorded.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0612cff0-100d-4d2b-ab8e-99a494e5fa5a

📥 Commits

Reviewing files that changed from the base of the PR and between a6564dd and abcf5c6.

⛔ Files ignored due to path filters (3)

• go.mod is excluded by none and included by none
• go.sum is excluded by !**/*.sum and included by none
• pkg/version/fake/mocks.go is excluded by !**/fake/** and included by **/*.go

📒 Files selected for processing (4)

• pkg/version/version.go
• pkg/version/version_test.go
• pkg/xpkg/client.go
• pkg/xpkg/lint.go

[adamwg]

lgtm, thanks for the update!

[jbw976]

I'm seeing failures in lint and unit tests check, e.g.:

       > Running phase: checkPhase
       > pkg/version/fake/mocks.go:21:2: could not import github.com/Masterminds/semver/v3 (pkg/version/version.go:21:2: cannot find module providing package github.com/Masterminds/semver/v3: import lookup disabled by -mod=vendor) (typecheck)
       >     "github.com/Masterminds/semver/v3"

does this maybe need a nix run #.tidy?

[nkzk]

I'm seeing failures in lint and unit tests check, e.g.:

       > Running phase: checkPhase
       > pkg/version/fake/mocks.go:21:2: could not import github.com/Masterminds/semver/v3 (pkg/version/version.go:21:2: cannot find module providing package github.com/Masterminds/semver/v3: import lookup disabled by -mod=vendor) (typecheck)
       >     "github.com/Masterminds/semver/v3"

does this maybe need a nix run #.tidy?

./nix.sh flake check looks better now!

[jbw976]

sweet, everything is green now! 💪

thanks for continuing to drive this and get it to the finish line! 🙇‍♂️