Skip to content

Nuget metadata api endpoint returns the wrong `upper` or `lower` version for pre-release identifiers

Summary

The ordering of versions with mixed alphanumeric identifiers in the pre-release part of the version string is incorect and can lead to Package ... is not found in the following primary source(s): error while using nuget install commandline.

The cause seems to bee that the GitLab registry evaluates the number parts of such strings as numbers but the nuget command expects them to be evaluated per char.

This problem also affects vcpkg which can use nuget to cache binaries. It uses a hash value in the pre-release identifier part to ensure compatibility and sometimes fails to find already uploaded pkgs because of this bug which leads to increased build times.

Steps to reproduce

  1. create a nuget pkg with version 1.0.0-a1b and push to gitlab registry
  2. create a nuget pkg with version 1.0.0-a11 and push to gitlab registry
  3. create a nuget pkg with version 1.0.0-abb and push to gitlab registry
  4. try and fail to install the nuget pkg with version 1.0.0-a11

Example Project

https://gitlab.com/seybolml/nugetregbug
https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/index.json

What is the current bug behavior?

the pkg metadata api responds as follows:
the field lower is "1.0.0-a1b"
the field upper is "1.0.0-abb"

a nuget install with version "1.0.0-a11" fails with pkg not found.

What is the expected correct behavior?

the pkg metadata api responds as follows:
the field lower is "1.0.0-a11"
the field upper is "1.0.0-abb"

all pkgs can be installed with the nuget command line

Relevant logs and/or screenshots

response of https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/index.json

{
  "count": 1,
  "items": [
    {
      "@id": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/1.0.0-abb.json",
      "lower": "1.0.0-a1b",
      "upper": "1.0.0-abb",
      "count": 3,
      "items": [
        {
          "@id": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/1.0.0-abb.json",
          "packageContent": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/download/testpkg/1.0.0-abb/testpkg.1.0.0-abb.nupkg",
          "catalogEntry": {
            "@id": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/1.0.0-abb.json",
            "authors": "",
            "dependencyGroups": [],
            "id": "testpkg",
            "version": "1.0.0-abb",
            "tags": "",
            "packageContent": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/download/testpkg/1.0.0-abb/testpkg.1.0.0-abb.nupkg",
            "summary": ""
          }
        },
        {
          "@id": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/1.0.0-a1b.json",
          "packageContent": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/download/testpkg/1.0.0-a1b/testpkg.1.0.0-a1b.nupkg",
          "catalogEntry": {
            "@id": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/1.0.0-a1b.json",
            "authors": "",
            "dependencyGroups": [],
            "id": "testpkg",
            "version": "1.0.0-a1b",
            "tags": "",
            "packageContent": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/download/testpkg/1.0.0-a1b/testpkg.1.0.0-a1b.nupkg",
            "summary": ""
          }
        },
        {
          "@id": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/1.0.0-a11.json",
          "packageContent": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/download/testpkg/1.0.0-a11/testpkg.1.0.0-a11.nupkg",
          "catalogEntry": {
            "@id": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/1.0.0-a11.json",
            "authors": "",
            "dependencyGroups": [],
            "id": "testpkg",
            "version": "1.0.0-a11",
            "tags": "",
            "packageContent": "https://gitlab.com/api/v4/projects/45179516/packages/nuget/download/testpkg/1.0.0-a11/testpkg.1.0.0-a11.nupkg",
            "summary": ""
          }
        }
      ]
    }
  ]
}

output of nuget.exe install testpkg -Version 1.0.0-a11

NuGet Version: 6.5.0.154
Feeds used:
  https://gitlab.com/api/v4/projects/45179516/packages/nuget/index.json

Attempting to gather dependency information for package 'testpkg.1.0.0-a11' with respect to project 'D:\git\nugetregbug', targeting 'Any,Version=v0.0'
  GET https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/index.json
  OK https://gitlab.com/api/v4/projects/45179516/packages/nuget/metadata/testpkg/index.json 502ms
Total number of results gathered : 1
Package 'testpkg 1.0.0-a11' is not found in the following primary source(s): 'https://gitlab.com/api/v4/projects/45179516/packages/nuget/index.json'. Please verify all your online package sources are available (OR) package id, version are specified correctly.

Output of checks

This bug happens on GitLab.com

Possible fixes