Recent changes to NewVersion regex break the "-ish" nature of the function - e.g. v24.02.05

[galthaus]

This is problematic because many versions are date allocated in dev ops use cases.

NewVersion parsed these correctly before and this change will cause large problems for our existing versions. While not in spec, it is a common usage.

Since there is already the concept of StrictNewVersion and NewVersion, it seems like a bad idea to alter NewVersion like this.

Thoughts?

[weakpixel]

Just run into a similar issue today after upgrading semver from v3.3.0 to v3.3.1

The version "0.09.00" cannot be parsed any anymore. We have third party Helm charts which unfortunately have such a version string.

[blakepettersson]

This seems to have caused some breakage with Argo CD as well: argoproj/argo-cd#21818

[jackalbsd]

Hello.

At the moment we are blocked. We cannot upgrade ArgoCD to 2.14 because of the issue, at the same time we cannot upgrade k8s to 1.31 because ArgoCD 2.13 is not supported in k8s 1.31. https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#tested-versions

Appreciate for your help. Thanks

[jackalbsd]

Hi guys, Is there any update? Will it be fixed?

[Gerrit91]

For us, too, it was a rather harsh change in behavior.

Unfortunately, we use Ubuntu 24.04 semver versions in our metal stack project (bare metal server provisioning machinery), which forces us to migrate all OS image references to 24.4 format.

We were fortunate that the images were not widely used by our user base, but theoretically, if users of our project had this in use, they would have to redeploy all their servers. 🙈

IMHO, indicating this change in Mastermind/semver should have caused something more than a patch release. :D

[mattfarina]

The version "0.09.00" cannot be parsed any anymore.

0.09.00 is an invalid semantic version. This package was incorrectly handling it before the recent bug fix.

To quote the spec:

A normal version number MUST take the form X.Y.Z where X, Y, and Z are non-negative integers, and MUST NOT contain leading zeroes.

The leading 0's is the problem.

[mattfarina]

The real question here is, how far should the "-ish" go? Previously, the "-ish" was meant to cover missing parts and allow for wildcards. I had seen the leading 0's being allowed as a bug. But, should that be part of the -ish? If so, why?

[rouke-broersma]

The real question here is, how far should the "-ish" go? Previously, the "-ish" was meant to cover missing parts and allow for wildcards. I had seen the leading 0's being allowed as a bug. But, should that be part of the -ish? If so, why?

Ideally this would be the question, however since multiple parts of the ecosystem involved have allowed these invalid semver versions in places where immutability is involved it also becomes a practical question. The out of spec versions already exist and they used to be 'valid' only a patch ago. Now part of the ecosystem starts breaking.

Argocd has now fixed it by correctly recognizing that those version numbers are not semver and treating them as exact matches, however (I think) that also means wildcards are no longer supported.

Since there hasn't been that much traffic on this issue I assume the impact was not actually that big on this issue fortunately, and I don't think at this point months later there's much point in changing it back. However I would suggest to in the future consider a change in allowed values like this to be a breaking change. Even though you're aligning with the spec and technically it was a 'bug', the fix doesn't likely fix many user-facing problems but rather causes them.

Anyway like I said at this point I think it's better to leave the behavior as it is and not revert back to allowing leading 0's, anyone impacted must have (or their upstream has) fixed their processes by now.