Skip to content

Appended epoch uses the wrong separator for semver #2437

@felipesere

Description

@felipesere

We use a single Chainguard image to have git available.
Our built image gets scanned by Palo Alto Prisma which is currently detecting a CVE in git-lfs v3.7.1-r8.
Prisma thinks this version is a pre-release of 3.7.1 and therefor <3.7.1

But if I am not mistaken, the -r8 does not signal a prerelease, it signals the build info.
In semver, that should have been v3.7.1+r8 😅 spec.

I suspect the hyphen as the separator is already pretty entrenched and thus hard to change.
At the same time, I wonder which systems mis-identify the version as a prerelease due to the hypen?

Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions