mirror of
https://github.com/semver/semver.git
synced 2026-07-11 05:12:48 -05:00
SemVer support for hotfixes/security fixes by third parties #610
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @JasonRShaver on GitHub (Nov 9, 2023).
A common scenario that I run across in my enterprise work around supply chain security and SBOMs is the need for an enterprise to privately fix OSS dependencies (NuGet, NPM, and PyPI packages for example). This may be cases where a security patch needs to be rolled out before coordinated disclosure or an enterprise needs to apply a fix in an OSS dependency before the upstream project releases an update. Another scenario would be for identifying patched dependencies in SBOMs to ensure accurate audit results (VEX may make this easier in the future, but it is not well respected by auditors yet, in my experience).
For a third party consumer, they can't rev the x.y.z number because it will conflict with the next update from the upstream project, and of course any x.y.z-hotfix or x.y.z+hotfix will lose to the clean x.y.z version.
Does the SemVer community have any opinions on third party private fixes/hotpatches? My research indicates this scenario is not supported (e.g., #917), but I'm curious if other stakeholders have proposed extensions to SemVer v2 to enable dependency resolution support for private hotfixes, and/or if the SemVer community itself has an philosophical disagreement with this idea.
An north star vision here might look the NuGet client tool supporting hotfixes when provided by a private upstream registry (Artifactory, Azure Artifacts, etc.), but not enabling the publishing of any hotfixes to the NuGet public registry itself. (Disclaimer: I work for Microsoft, but do not represent the NuGet team or their future plans)
@ljharb commented on GitHub (Nov 9, 2023):
You'd do this with a prerelease of the next patch version, regardless of whether availability was public. There's nothing extra needed here.
@JasonRShaver commented on GitHub (Nov 9, 2023):
Thank you for the quick reply. That's an interesting idea, I'll have to think about if that can address all my scenarios.
Some early thoughts, if you don't mind sharing your opinion/insights:
Thanks again for taking the time to respond =)
@ljharb commented on GitHub (Nov 9, 2023):
That’s fine, since if the patched version isn’t publicly available, those using it would need to use a specially crafted range to avoid picking up any prereleases but the fixed one.