Skip to content

Bug: Dependency version validation only checks latest release, misses backport/earlier releases #485

@coderabbitai

Description

@coderabbitai

Bug Report

Description

The dependency version validation logic incorrectly reports valid dependency versions as invalid when they exist as backport releases or earlier releases that are not the latest.

Example

In PR https://github.com/keycardlabs/pkg-oapi-common/pull/25#discussion_r2248812465, the analysis incorrectly reported that github.com/matoous/go-nanoid/v2 v2.1.0 was invalid because v2.1.0 was not the latest release. However, v2.1.0 is a valid release that exists at https://github.com/matoous/go-nanoid/releases/tag/v2.1.0.

Root Cause

The validation logic uses gh api repos/owner/repo/releases/latest which only returns the most recent release, rather than checking for the specific version being used.

Expected Behavior

The validation should check for the specific version being used in the dependency, not just compare against the latest release.

Suggested Fix

Use gh api repos/owner/repo/releases/tags/{version} to check if the specific version exists, or list all releases and search for the target version.

Impact

This causes false positive errors in code reviews, leading to unnecessary confusion and incorrect suggestions to users.

Reporter

Reported by @seriousben in the context of reviewing go.mod dependency additions.

Backlinks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions

      pFad - Phonifier reborn

      Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

      Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


      Alternative Proxies:

      Alternative Proxy

      pFad Proxy

      pFad v3 Proxy

      pFad v4 Proxy