feed2catalog produces catalog items with invalid dependency version ranges

[emgarten]

V3 registration blobs contain packages with invalid version ranges

https://api.nuget.org/v3/registration1/nservicebus.persistence.sql.msbuild/index.json

Expected

feeds should validate packages and avoid displaying invalid data in the feed

Actual

From the client
install-package nservicebus.persistence.sql.msbuild -version 1.0.0-beta0006

fails with:

install-package : An error occurred while retrieving package metadata for 'nservicebus.persistence.sql.msbuild.1.0.0-beta0006' from source 'nuget.org'.
  '$version$' is not a valid version string.

[emgarten]

More examples

Microsoft.VisualStudio.Services.Gallery.WebApi
  '[15.106.0.preview]' is not a valid version string.

ServiceStack.Extras.Serilog
  '0.0.0-~4' is not a valid version string.

BaseLine
  Invalid

MassTransit.RavenDbIntegration
'0.0.0-~3' is not a valid version string.

[scottbommarito]

These packages can all still be uploaded to the Gallery.

The Gallery deserializes data from .nuspecs using a NuGet.Packaging class called NuSpecReader. When this class sees an invalid version range, it silently handles it and returns a version range that contains all versions. As a result, the Gallery has no visibility on broken metadata and cannot reject packages with invalid version ranges.

I suggest either

1. Leave the metadata flow intact and modify the client to install the latest version of a package dependency when it encounters a range it cannot understand.
2. Modify NuSpecReader to throw an exception when it encounters invalid data and then handle the exceptions on the Gallery side.

[scottbommarito]

We have concluded that we should both modify the client to install the latest/oldest version of a package dependency when it encounters a range it cannot understand AND modify NuSpecReader to throw an exception when it encounters invalid data and then handle the exception on the gallery side.

[joelverhagen]

This work item is: In the gallery, reject new packages with bad dependency version ranges. Just a validation task.

[xavierdecoster]

The gallery cannot differentiate between legitimate "all versions" scenario, and "fallback due to invalid data" scenario, because of the silent fallback. An explicit exception we can handle would be useful.

[shishirx34]

The work for this issue would be two parts

• NuGet.Client - Overload GetDependencyGroups to throw exception in a strict mode where the version ranges are illegal in the Nuspec. PR Add strict version check for dependencies in NuspecReader NuGet.Client#1262

• Gallery - Consume the changes above in gallery, plus use the above strict checking for dependencies during validation in gallery and reject on exceptions. Tracked by Add validation to reject package versions with leading zeros in numeric identifiers (semver v2.0.0) #3648 (PR Block packages with illegal package dependency version ranges #3728)

[shishirx34]

Reopening for deciding what the server side do with the existing packages with bad dependency range in a package.

From #4684 @emgarten comments:

https://api.nuget.org/v3/registration3-gz-semver2/microsoft.visualstudio.services.gallery.webapi/index.json contains an invalid version range of [15.106.0.preview] which causes the client to fail when finding the package for packages.config installs.

The result is the error:
Unable to resolve dependency 'Microsoft.VisualStudio.Services.Gallery.WebApi'.

The client could handle this better by only skipping the invalid package version, however I think this should also be handled better on the server side. Invalid packages that cannot be used should not appear in the feed, and invalid data should not appear in the feed even if it is in the nuspec file.

[tedchamb]

We own the microsoft.visualstudio.services.gallery.webapi nuget package. Is there anything we can do on our side to fix this issue for this particular package while we wait for the nuget fix?

[joelverhagen]

@tedchamb, I think we need to investigate more about what client scenarios (and versions of clients) are effected by these bad version ranges. Could you describe what issues you or your customers are running into with the "bad" package?

[tedchamb]

@joelverhagen The issue is when a customer runs the following command using a nuget.exe the user will get an error and can not install the latest version of the package. We made a mistake on the version dependency for an older version of the package, and there is no way that I know of to fix that on our side. We had a '.' instead of a '-' in [15.106.0.preview]

nuget.exe install install Microsoft.VisualStudio.Services.Gallery.WebApi -Verbosity Detailed -Pre

NuGet Version: 4.4.0.4475
Feeds used:
E:\tfsomNuGet\Release_RealSigned_20170930.1
https://www.myget.org/F/dotnet-core/api/v3/index.json
https://api.nuget.org/v3/index.json
https://www.myget.org/F/nugetvssprivate/api/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\

Installing package 'Microsoft.VisualStudio.Services.Gallery.WebApi' to 'C:'.
GET https://www.myget.org/F/nugetvssprivate/api/v3/registration1/microsoft.visualstudio.services.gallery.webapi/index.json
GET https://api.nuget.org/v3/registration3-gz-semver2/microsoft.visualstudio.services.gallery.webapi/index.json
GET https://dotnet.myget.org/F/dotnet-core/api/v3/registration1/microsoft.visualstudio.services.gallery.webapi/index.json
OK https://api.nuget.org/v3/registration3-gz-semver2/microsoft.visualstudio.services.gallery.webapi/index.json 281ms
NotFound https://www.myget.org/F/nugetvssprivate/api/v3/registration1/microsoft.visualstudio.services.gallery.webapi/index.json 574ms
NotFound https://dotnet.myget.org/F/dotnet-core/api/v3/registration1/microsoft.visualstudio.services.gallery.webapi/index.json 2002ms
An error occurred while retrieving package metadata for 'Microsoft.VisualStudio.Services.Gallery.WebApi' from source 'nuget.org'.
'[15.106.0.preview]' is not a valid version string.
NuGet.Protocol.Core.Types.FatalProtocolException: An error occurred while retrieving package metadata for 'Microsoft.VisualStudio.Services.Gallery.WebApi' from source 'nuget.org'. ---> System.ArgumentException: '[15.106.0.preview]' is not a valid version string.
at NuGet.Versioning.VersionRange.Parse(String value, Boolean allowFloating)
at NuGet.Protocol.Utils.CreateVersionRange(String stringToParse)
at NuGet.Protocol.ResolverMetadataClient.ProcessPackageVersion(JObject packageObj, NuGetVersion version)
at NuGet.Protocol.ResolverMetadataClient.d__0.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.ResolverMetadataClient.d__2.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.Protocol.DependencyInfoResourceV3.d__5.MoveNext()
--- End of inner exception stack trace ---
at NuGet.Protocol.DependencyInfoResourceV3.d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.PackageManagement.NuGetPackageManager.d__90.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.PackageManagement.NuGetPackageManager.<>c__DisplayClass89_1.<b__0>d.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.PackageManagement.NuGetPackageManager.d__89.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.PackageManagement.NuGetPackageManager.d__88.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NuGet.CommandLine.InstallCommand.d__40.MoveNext()

[joelverhagen]

After this fix is deployed, the following packages should be reflowed:

MassTransit.RavenDbIntegration 3.2.2
MassTransit.RavenDbIntegration 3.2.3
MassTransit.RavenDbIntegration 3.2.4
MassTransit.RavenDbIntegration 3.3.0
MassTransit.RavenDbIntegration 3.3.0-unstable0009
MassTransit.RavenDbIntegration 3.3.0-unstable0010
MassTransit.RavenDbIntegration 3.3.0-unstable0012
MassTransit.RavenDbIntegration 3.3.0-unstable0013
Microsoft.VisualStudio.Services.Gallery.WebApi 15.106.0-preview
ServiceStack.Extras.Serilog 2.0.1

[joelverhagen]

All packages on nuget.org with invalid version ranges have been reflowed. nuget.exe install works on all of the three package IDs with invalid dependency version ranges:

MassTransit.RavenDbIntegration
Microsoft.VisualStudio.Services.Gallery.WebApi
ServiceStack.Extras.Serilog

Note that nuget.exe treats invalid version ranges as the "any version" range (, ).

@tedchamb, let me know if you run into any other issues.