-
Notifications
You must be signed in to change notification settings - Fork 50
Description
Bug Report
Description
The dependency version validation logic incorrectly reports valid dependency versions as invalid when they exist as backport releases or earlier releases that are not the latest.
Example
In PR https://github.com/keycardlabs/pkg-oapi-common/pull/25#discussion_r2248812465, the analysis incorrectly reported that github.com/matoous/go-nanoid/v2 v2.1.0
was invalid because v2.1.0 was not the latest release. However, v2.1.0 is a valid release that exists at https://github.com/matoous/go-nanoid/releases/tag/v2.1.0.
Root Cause
The validation logic uses gh api repos/owner/repo/releases/latest
which only returns the most recent release, rather than checking for the specific version being used.
Expected Behavior
The validation should check for the specific version being used in the dependency, not just compare against the latest release.
Suggested Fix
Use gh api repos/owner/repo/releases/tags/{version}
to check if the specific version exists, or list all releases and search for the target version.
Impact
This causes false positive errors in code reviews, leading to unnecessary confusion and incorrect suggestions to users.
Reporter
Reported by @seriousben in the context of reviewing go.mod dependency additions.