Hi @joshua-mitchell_8090 ,
Thanks for the inquiry! The changes are available in the inedo/proget:25.0.24-ci.4 container image, and we'd love to get a second set of eyes. Are you using Docker?
They're relatively simple, but we just avoid changing stuff like this in maintenance releases... so it's currently slated for ProGet 2026.
But it should be okay for a maintenance release. Please let us know, we'll decide to release based on your or other user feedback.
Here's what we changed.
First, we added a "sixth" component called IncrementalVersion2 that will support versions like 1.2.3.4-mybuild-678 (where 4 is the second incrementing version), so that vulnerability identification can work better. Our implementation is based on the the Maven version specs, which in retrospect, seems to be followed only by ProGet. Pretty low risk here.
Second, we changed our "path parsing" logic, which identifies the groupId, artifactId, version, artifactType from a string like /junit/junit/4.8.2/junit-4.8.2.jar into /mygroup/more-group/group-42/my-artifact/1.0-SNAPSHOT/maven-metadata.xml.
It's a little hard to explain, so I'll just share the new and old logic:
//OLD: if (urlPartsQ.TryPeek(out string? maybeVersion) && char.IsNumber(maybeVersion, 0))
if (urlPartsQ.TryPeek(out string? maybeVersion) && (
char.IsNumber(maybeVersion, 0)
|| maybeVersion.EndsWith("-SNAPSHOT", StringComparison.OrdinalIgnoreCase)
|| (this.FileName is not null && !this.FileName.Equals("maven-metadata.xml", StringComparison.OrdinalIgnoreCase))
))
{
this.Version = maybeVersion;
urlPartsQ.Pop();
}
Long story short, this seems to work fine for v8.5.0 and shouldn't break unless someone is uploading improperly named artifact files (e.g. my-group/my-artifact/version-1000/maven-metadata.xml or e.g. my-photo/cool-snapshot/hello-kitty.jpg).
Thanks,
Alana
