feat: swallow exceptions on unparseable NPM package versions (#14233)

When checking for new NPM package versions, do not replace versions that we do not understand.

Closes #14217

flow-server/src/main/java/com/vaadin/flow/server/frontend/NodeUpdater.java

@@ -509,16 +509,23 @@ int addDependency(JsonObject json, String key, String pkg, String version) {
 
     private boolean isNewerVersion(JsonObject json, String pkg,
             String version) {
+        FrontendVersion newVersion = new FrontendVersion(version);
+
         try {
-            FrontendVersion newVersion = new FrontendVersion(version);
             FrontendVersion existingVersion = toVersion(json, pkg);
             return newVersion.isNewerThan(existingVersion);
         } catch (NumberFormatException e) {
             if (VAADIN_FORM_PKG.equals(pkg) && json.getString(pkg)
                     .contains(VAADIN_FORM_PKG_LEGACY_VERSION)) {
                 return true;
             } else {
-                throw e;
+                // NPM package versions are not always easy to parse, see
+                // https://docs.npmjs.com/cli/v8/configuring-npm/package-json#dependencies
+                // for some examples. So let's return false for unparsable
+                // versions, as we don't want them to be updated.
+                log().warn("Package {} has unparseable version: {}", pkg,
+                        e.getMessage());
+                return false;
             }
         }
     }

flow-server/src/test/java/com/vaadin/flow/server/frontend/NodeUpdaterTest.java

@@ -226,6 +226,52 @@ public void shouldUpdateExistingLocalFormPackageToNpmPackage()
                 .getObject(NodeUpdater.DEPENDENCIES).getString(formPackage));
     }
 
+    @Test
+    public void shouldSkipUpdatingNonParsableVersions() throws IOException {
+        JsonObject packageJson = Json.createObject();
+        JsonObject dependencies = Json.createObject();
+        packageJson.put(NodeUpdater.DEPENDENCIES, dependencies);
+        JsonObject vaadinDependencies = Json.createObject();
+        vaadinDependencies.put(NodeUpdater.DEPENDENCIES, Json.createObject());
+        packageJson.put(NodeUpdater.VAADIN_DEP_KEY, vaadinDependencies);
+
+        String formPackage = "@vaadin/form";
+        String existingVersion = "../../../some/local/path";
+        String newVersion = "2.0.0";
+
+        dependencies.put(formPackage, existingVersion);
+
+        nodeUpdater.addDependency(packageJson, NodeUpdater.DEPENDENCIES,
+                formPackage, newVersion);
+
+        Assert.assertEquals(existingVersion, packageJson
+                .getObject(NodeUpdater.DEPENDENCIES).getString(formPackage));
+    }
+
+    @Test
+    public void shouldThrowExceptionOnNewVersionNonParsable() {
+        JsonObject packageJson = Json.createObject();
+        JsonObject dependencies = Json.createObject();
+        packageJson.put(NodeUpdater.DEPENDENCIES, dependencies);
+        JsonObject vaadinDependencies = Json.createObject();
+        vaadinDependencies.put(NodeUpdater.DEPENDENCIES, Json.createObject());
+        packageJson.put(NodeUpdater.VAADIN_DEP_KEY, vaadinDependencies);
+
+        String formPackage = "@vaadin/form";
+        String existingVersion = "2.0.0";
+        String newVersion = "../../../some/local/path";
+
+        dependencies.put(formPackage, existingVersion);
+
+        NumberFormatException expectedException = Assert
+                .assertThrows(NumberFormatException.class,
+                        () -> nodeUpdater.addDependency(packageJson,
+                                NodeUpdater.DEPENDENCIES, formPackage,
+                                newVersion));
+        Assert.assertTrue(expectedException.getMessage()
+                .contains("is not a valid version"));
+    }
+
     @Test
     public void getJsonFileContent_incorrectPackageJsonContent_throwsExceptionWithFileName()
             throws IOException {