[GH-ISSUE #2848] newtUpdateAvailable shows false for outdated sites due to v-prefixed duplicate tags #4200

New Issue

Closed

opened 2026-04-20 08:41:46 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-04-20 08:41:46 -05:00

Owner

Copy Link

Originally created by @strausmann on GitHub (Apr 13, 2026).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/2848

Describe the Bug

The newtUpdateAvailable field in the Sites API response (GET /org/{orgId}/sites) incorrectly shows false for sites running outdated Newt versions. Two root causes were identified:

Bug 1 (primary): Tag sorting + duplicate tags

The code in server/routers/site/listSites.ts fetches /repos/fosrl/newt/tags and takes tags[0].name as the latest version. However, the Newt repo has duplicate tags with and without v prefix for versions 1.8.0–1.10.3. The GitHub Tags API returns v-prefixed tags before unprefixed ones:

# Actual order from GET /repos/fosrl/newt/tags:
v1.10.3    ← tags[0] — taken as "latest"!
v1.10.2
v1.10.1
...
1.11.0     ← the ACTUAL latest version (never reached)
1.10.4
1.10.3     ← same version as v1.10.3

Result: latestNewtVersion = "v1.10.3" instead of "1.11.0"

• semver.lt("1.10.1", "v1.10.3") → true (correct for 1.10.1 sites)
• semver.lt("1.10.3", "v1.10.3") → false (wrong — 1.11.0 is available)

Bug 2 (secondary): Cache invalidation without fallback

The cached version has a 1-hour TTL. After expiry, if the GitHub fetch times out (1.5s limit), the cache returns null and ALL sites default to newtUpdateAvailable: false. A stale-while-revalidate pattern would preserve the last known value until a successful fetch.

Suggested fixes:

1. Sort fetched tags by semver.rcompare() and deduplicate before selecting tags[0]
2. Use /repos/fosrl/newt/releases/latest instead of /tags (returns the actual latest release, not affected by tag ordering)
3. Persist cached version until next successful fetch (stale-while-revalidate)
4. Clean up duplicate v-prefixed tags in the Newt repo

Environment

• OS Type & Version: Ubuntu 24.04 (Hetzner Cloud)
• Pangolin Version: 1.17.0 (Enterprise Edition)
• Gerbil Version: 1.17.0
• Traefik Version: 3.6.13
• Newt Version: Mix of 1.10.1, 1.10.3, 1.11.0 across 10 sites
• Olm Version: n/a

To Reproduce

1. Have sites running Newt 1.10.3 and 1.11.0
2. Call GET /org/{orgId}/sites
3. Observe that sites on 1.10.3 show newtUpdateAvailable: false
4. Verify with curl https://api.github.com/repos/fosrl/newt/tags | jq '.[0].name' — returns v1.10.3 not 1.11.0

Expected Behavior

All sites running Newt < 1.11.0 should show newtUpdateAvailable: true, since 1.11.0 is the latest release.

Originally created by @strausmann on GitHub (Apr 13, 2026). Original GitHub issue: https://github.com/fosrl/pangolin/issues/2848 ### Describe the Bug The `newtUpdateAvailable` field in the Sites API response (`GET /org/{orgId}/sites`) incorrectly shows `false` for sites running outdated Newt versions. Two root causes were identified: **Bug 1 (primary): Tag sorting + duplicate tags** The code in `server/routers/site/listSites.ts` fetches `/repos/fosrl/newt/tags` and takes `tags[0].name` as the latest version. However, the Newt repo has **duplicate tags** with and without `v` prefix for versions 1.8.0–1.10.3. The GitHub Tags API returns `v`-prefixed tags before unprefixed ones: ``` # Actual order from GET /repos/fosrl/newt/tags: v1.10.3 ← tags[0] — taken as "latest"! v1.10.2 v1.10.1 ... 1.11.0 ← the ACTUAL latest version (never reached) 1.10.4 1.10.3 ← same version as v1.10.3 ``` Result: `latestNewtVersion = "v1.10.3"` instead of `"1.11.0"` - `semver.lt("1.10.1", "v1.10.3")` → true (correct for 1.10.1 sites) - `semver.lt("1.10.3", "v1.10.3")` → false (wrong — 1.11.0 is available) **Bug 2 (secondary): Cache invalidation without fallback** The cached version has a 1-hour TTL. After expiry, if the GitHub fetch times out (1.5s limit), the cache returns `null` and ALL sites default to `newtUpdateAvailable: false`. A stale-while-revalidate pattern would preserve the last known value until a successful fetch. **Suggested fixes:** 1. Sort fetched tags by `semver.rcompare()` and deduplicate before selecting `tags[0]` 2. Use `/repos/fosrl/newt/releases/latest` instead of `/tags` (returns the actual latest release, not affected by tag ordering) 3. Persist cached version until next successful fetch (stale-while-revalidate) 4. Clean up duplicate `v`-prefixed tags in the Newt repo ### Environment - OS Type & Version: Ubuntu 24.04 (Hetzner Cloud) - Pangolin Version: 1.17.0 (Enterprise Edition) - Gerbil Version: 1.17.0 - Traefik Version: 3.6.13 - Newt Version: Mix of 1.10.1, 1.10.3, 1.11.0 across 10 sites - Olm Version: n/a ### To Reproduce 1. Have sites running Newt 1.10.3 and 1.11.0 2. Call `GET /org/{orgId}/sites` 3. Observe that sites on 1.10.3 show `newtUpdateAvailable: false` 4. Verify with `curl https://api.github.com/repos/fosrl/newt/tags | jq '.[0].name'` — returns `v1.10.3` not `1.11.0` ### Expected Behavior All sites running Newt < 1.11.0 should show `newtUpdateAvailable: true`, since 1.11.0 is the latest release.

GiteaMirror added the bug label 2026-04-20 08:41:46 -05:00

GiteaMirror closed this issue 2026-04-20 08:41:47 -05:00

GiteaMirror commented 2026-04-20 08:41:48 -05:00

Author

Owner

Copy Link

@strausmann commented on GitHub (Apr 13, 2026):

Related discussion with additional analysis and code suggestions: https://github.com/fosrl/pangolin/discussions/2847

<!-- gh-comment-id:4237957279 --> @strausmann commented on GitHub (Apr 13, 2026): Related discussion with additional analysis and code suggestions: https://github.com/fosrl/pangolin/discussions/2847

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dev

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#4200