Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-25908

nuget restore does not resolve inbound normalized package versions to unnormalized published versions using NuGet v3

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.28.1
    • Fix Version/s: 3.30.0
    • Component/s: NuGet, nuget-v3
    • Labels:

      Description

      Summary

      The nuget restore of packages using published versions which do not comply with NuGet normalized version rules may not be resolvable using NXRM NuGet (v3 API) repositories.

      Reproduce

      1. Upload the attached SONATYPE.TEST.1.0.0.0.nupkg test package to a Nuget hosted repo
      2. Add a Nuget v3 source on the client side to http://localhost:8081/repository/nuget-hosted/index.json
      3. In Visual Studio, add the SONATYPE.TEST 1.0.0.0 package to your project as a dependency.

      4. Visual Studio attempts a "restore" and console reports:

      Getting restore information for project /Users/plynch/Projects/test-versions/test-versions.csproj
      Running non-parallel restore.
      Reading project file /Users/plynch/Projects/test-versions/test-versions.csproj.
      Restoring packages for /Users/plynch/Projects/test-versions/test-versions.csproj...
      Restoring packages for .NETCoreApp,Version=v3.1...
        GET http://localhost:8081/repository/nuget-hosted/v3/content/sonatype.test/index.json
        OK http://localhost:8081/repository/nuget-hosted/v3/content/sonatype.test/index.json 12ms
        GET http://localhost:8081/repository/nuget-hosted/v3/content/sonatype.test/1.0.0/sonatype.test.1.0.0.nupkg
        NotFound http://localhost:8081/repository/nuget-hosted/v3/content/sonatype.test/1.0.0/sonatype.test.1.0.0.nupkg 9ms
        GET http://localhost:8081/repository/nuget-hosted/v3/content/sonatype.test/index.json
        OK http://localhost:8081/repository/nuget-hosted/v3/content/sonatype.test/index.json 5ms
        CACHE http://localhost:8081/repository/nuget-hosted/v3/content/sonatype.test/index.json
        CACHE http://localhost:8081/repository/nuget-hosted/v3/content/sonatype.test/index.json
      The feed 'nuget-hosted-v3 [http://localhost:8081/repository/nuget-hosted/index.json]' lists package 'SONATYPE.TEST.1.0.0' but multiple attempts to download the nupkg have failed. The feed is either invalid or required packages were removed while the current operation was in progress. Verify the package exists on the feed and try again.
      

      *Note: *Requesting the package directly by its non-normalized version or using nuget install does seem to work.

      Visual Studio and seemingly any "nuget restore" cannot resolve the package from NRXM when the package version normalization rules are followed by the client:

      From: https://docs.microsoft.com/en-us/nuget/concepts/package-versioning#normalized-version-numbers

      This is a breaking change for NuGet 3.4 and later.

      When obtaining packages from a repository during install, reinstall, or restore operations, NuGet 3.4+ treats version numbers as follows:

      A zero in the fourth part of the version number will be omitted

      1.0.01.0 is treated as 1.0.1

      Comparison with NuGet.org

      Visual Studio when talking to nuget.org will be able to resolve packages published with versions that are not normalized. Example

      Microsoft.Web.Infrastructure package version 1.0.0.0 nuspec file on nuget.org
      <?xml version="1.0" encoding="utf-16"?>
      <package xmlns="http://schemas.microsoft.com/packaging/2010/07/nuspec.xsd">
          <metadata>
              <id>Microsoft.Web.Infrastructure</id>
              <version>1.0.0.0</version>
              <title>Microsoft.Web.Infrastructure</title>
              <authors>Microsoft</authors>
              <owners>Microsoft</owners>
              <licenseUrl>http://go.microsoft.com/fwlink/?LinkID=214339</licenseUrl>
              <projectUrl>http://www.asp.net</projectUrl>
              <requireLicenseAcceptance>false</requireLicenseAcceptance>
              <description>This package contains the Microsoft.Web.Infrastructure assembly that lets you dynamically register HTTP modules at run time.</description>
              <language>en-US</language>
              <tags>ASPNETWEBPAGES</tags>
          </metadata>
      </package>
      

      Shows inside Visual Studio as 1.0.0, not 1.0.0.0

      This works when added as a package in Visual Studio:

      Getting restore information for project /Users/plynch/Projects/test-versions/test-versions.csproj
      Running non-parallel restore.
      Reading project file /Users/plynch/Projects/test-versions/test-versions.csproj.
      Restoring packages for /Users/plynch/Projects/test-versions/test-versions.csproj...
      Restoring packages for .NETCoreApp,Version=v3.1...
        GET https://api.nuget.org/v3-flatcontainer/microsoft.web.infrastructure/index.json
        OK https://api.nuget.org/v3-flatcontainer/microsoft.web.infrastructure/index.json 65ms
        GET https://api.nuget.org/v3-flatcontainer/microsoft.web.infrastructure/1.0.0/microsoft.web.infrastructure.1.0.0.nupkg
        OK https://api.nuget.org/v3-flatcontainer/microsoft.web.infrastructure/1.0.0/microsoft.web.infrastructure.1.0.0.nupkg 37ms
      

      Workaround

      • use a nuget V2 source ( no index.json as part of source URL )
      • use nuget install instead of nuget restore
      • if this is a private package, possibly re-publish the package with a normalized version instead ( ie. 1.0.0 )

      Expected

      NXRM should follow the normalization rules and treat normalized package versions equivalent to non-normalized published package versions.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              mlukaretkyi Maksym Lukaretkyi
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Maksym Lukaretkyi Maksym Lukaretkyi
              Team:
              NXRM - Trinity
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title