julia: strip JLL build metadata from versions#15113
Open
maleadt wants to merge 1 commit into
Open
Conversation
Julia's JLL packages use a "+N" suffix on the version (e.g. "0.0.43+1")
to identify rebuilds of the same source version. Per semver, build
metadata is ignored when ordering versions, and Julia's Pkg treats e.g.
"0.0.43" and "0.0.43+1" as compatibility-equivalent.
Previously, `Dependabot::Julia::Version.new("0.0.43+1")` parsed the
build suffix as an additional segment, producing `[0, 0, 43, 1]`. That
sorted strictly greater than `"0.0.43"`, so:
- `LatestVersionFinder` reported a JLL rebuild as a newer release
available for update.
- `Gem::Requirement.new("=0.0.43").satisfied_by?` returned false for
the rebuild, so `RequirementsUpdater` did not short-circuit and
appended a redundant version spec (e.g. `"=0.0.43"` →
`"=0.0.43, 0.0.43"`).
Strip the build metadata in the constructor so build rebuilds compare
equal to the underlying source version.
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds support for Julia SemVer build metadata (notably JLL “+N” rebuild suffixes) by normalizing versions so build metadata does not affect comparisons or requirement satisfaction.
Changes:
- Strip
+...build metadata duringDependabot::Julia::Versioninitialization. - Add RSpec coverage for
.correct?, initialization normalization, ordering/equality, andGem::Requirementsatisfaction behavior.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| julia/lib/dependabot/julia/version.rb | Normalizes versions by removing build metadata suffix before parsing/comparison. |
| julia/spec/dependabot/julia/version_spec.rb | Adds specs validating metadata stripping and equality/requirement semantics for JLL rebuilds. |
Comment on lines
+28
to
+32
| # Strip build metadata suffix (e.g. "0.0.43+1" -> "0.0.43"). Julia's JLL | ||
| # packages use the "+N" suffix to identify rebuilds of the same source | ||
| # version; per semver build metadata is ignored when ordering versions, | ||
| # and Julia's Pkg treats "0.0.43" and "0.0.43+1" as compatibility-equivalent. | ||
| version_string = version_string.sub(/\+.*\z/, "") |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| # packages use the "+N" suffix to identify rebuilds of the same source | ||
| # version; per semver build metadata is ignored when ordering versions, | ||
| # and Julia's Pkg treats "0.0.43" and "0.0.43+1" as compatibility-equivalent. | ||
| version_string = version_string.sub(/\+.*\z/, "") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What are you trying to accomplish?
Julia's JLL packages use a
+Nsuffix on the version (e.g.0.0.43+1) to identify rebuilds of the same source version. Per semver, build metadata is ignored when ordering versions, and Julia'sPkgtreats e.g.0.0.43and0.0.43+1as compatibility-equivalent.Previously,
Dependabot::Julia::Version.new("0.0.43+1")parsed the build suffix as an additional segment, producing[0, 0, 43, 1]. That sorted strictly greater than0.0.43, so:LatestVersionFinderreported a JLL rebuild as a newer release available for update.Gem::Requirement.new("=0.0.43").satisfied_by?returnedfalsefor the rebuild, soRequirementsUpdaterdid not short-circuit and appended a redundant version spec.The result was spurious PRs like JuliaLLVM/LLVM.jl#562, which proposed changing
LLVMExtra_jll = "=0.0.43"toLLVMExtra_jll = "=0.0.43, 0.0.43"afterLLVMExtra_jllpublished a0.0.43+1rebuild.This change strips the
+...suffix in theVersionconstructor so JLL rebuilds compare equal to the underlying source version, matching Julia's resolution semantics.Anything you want to highlight for special attention from reviewers?
The strip happens before
super, so all downstream comparisons (<=>,satisfied_by?, sorting) see the canonical 3-segment version.to_sreturns the stripped form, which I think is the right tradeoff — the build counter is not semantically meaningful and surfacing it elsewhere just risks the same comparison bug recurring. Open to feedback if you'd rather preserve the original string for display.How will you know you've accomplished your goal?
Added
julia/spec/dependabot/julia/version_spec.rbcovering:+Nbuild metadata0.0.43+1and0.0.43for ordering=0.0.43) being satisfied by a rebuildRunning locally:
Checklist
version_spec,requirement_spec,requirements_updater_spec) locally. I have not run the integration tests that require the Julia helper.