Skip to content

fix(prepare): handle scoped tag prefixes in auto version resolution#773

Merged
BYK merged 2 commits intomasterfrom
fix/scoped-tag-version-resolution
Mar 16, 2026
Merged

fix(prepare): handle scoped tag prefixes in auto version resolution#773
BYK merged 2 commits intomasterfrom
fix/scoped-tag-version-resolution

Conversation

@BYK
Copy link
Member

@BYK BYK commented Mar 16, 2026

Problem

resolveVersion() in prepare.ts fails to extract the semver from git tags that use scoped prefixes like @spotlightjs/spotlight@4.10.0. The manual regex only handles v-prefixed (v1.2.3) and bare (1.2.3) tags:

const currentVersion =
  latestTag && latestTag.replace(/^v/, '').match(/^\d/)
    ? latestTag.replace(/^v/, '')
    : '0.0.0';

For @spotlightjs/spotlight@4.10.0, .replace(/^v/, '') is a no-op and .match(/^\d/) returns null, so it falls through to '0.0.0'. This causes auto version to resolve as 0.1.0 instead of 4.11.0.

Fix

Replace the manual regex with the existing getVersion() utility from utils/version.ts, which correctly extracts semver from any string using a proper regex:

const currentVersion = (latestTag && getVersion(latestTag)) || '0.0.0';

Adds a test case for scoped package tag extraction.

BYK added 2 commits March 16, 2026 09:13
@BYK
fix: update simple-git and tar to address security vulnerabilities
975427d 
- simple-git: 3.30.0 → 3.33.0 (fixes CVE-2026-28292, CRITICAL CVSS 9.8)
  RCE via case-insensitive protocol.allow bypass in blockUnsafeOperationsPlugin
- tar: 7.5.8 → 7.5.11 (fixes CVE-2026-29786, HIGH CVSS 8.2)
  Hardlink path traversal via drive-relative linkpath

Also dismissed Dependabot alert #119 (@tootallnate/once, LOW severity)
as tolerable risk — blocked upstream by teeny-request pinning
http-proxy-agent@^5, and the vulnerability requires AbortSignal usage
patterns not present in Craft.
@BYK
fix(prepare): handle scoped tag prefixes in auto version resolution
c92cfff 
Use the existing getVersion() utility to extract semver from git tags
instead of manual regex that only handled 'v' prefix and bare versions.

Tags like '@scope/package@1.2.3' were falling through to the '0.0.0'
fallback, causing auto version to resolve as '0.1.0' instead of the
correct next version.
@BYK BYK force-pushed the fix/scoped-tag-version-resolution branch from f2c33f0 to c92cfff Compare March 16, 2026 09:15
@BYK BYK merged commit dc4bdfa into master Mar 16, 2026
18 checks passed
@BYK BYK deleted the fix/scoped-tag-version-resolution branch March 16, 2026 09:33
@sentry-release-bot sentry-release-bot bot mentioned this pull request Mar 16, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK