We use a single Chainguard image to have git available.
Our built image gets scanned by Palo Alto Prisma which is currently detecting a CVE in git-lfs v3.7.1-r8.
Prisma thinks this version is a pre-release of 3.7.1 and therefor <3.7.1
But if I am not mistaken, the -r8 does not signal a prerelease, it signals the build info.
In semver, that should have been v3.7.1+r8 😅 spec.
I suspect the hyphen as the separator is already pretty entrenched and thus hard to change.
At the same time, I wonder which systems mis-identify the version as a prerelease due to the hypen?
We use a single Chainguard image to have
gitavailable.Our built image gets scanned by Palo Alto Prisma which is currently detecting a CVE in
git-lfsv3.7.1-r8.Prisma thinks this version is a pre-release of 3.7.1 and therefor <3.7.1
But if I am not mistaken, the
-r8does not signal a prerelease, it signals the build info.In semver, that should have been
v3.7.1+r8😅 spec.I suspect the hyphen as the separator is already pretty entrenched and thus hard to change.
At the same time, I wonder which systems mis-identify the version as a prerelease due to the hypen?