Add version check for nuget external packages (#19852)

localconst · web-flow · commit 836d99df288c · 2024-10-21T19:07:54.000+04:00
diff --git a/make-util.js b/make-util.js
@@ -698,6 +698,20 @@ var getExternalsAsync = async function (externals, destRoot) {
             var url = package.repository.replace(/\/$/, '') + '/package/' + package.name + '/' + package.version;
             var packageSource = await downloadArchiveAsync(url, /*omitExtensionCheck*/true);
 
+            // If nuget doesn't find specific package version, it will download the latest.
+            // We can't specify nuget to fail such request, so we need at least to check version post-factum.
+            const { XMLParser } = require("fast-xml-parser");
+            const parser = new XMLParser();
+
+            const nuspecPath = path.join(packageSource, package.name + '.nuspec');
+            const nuspecXml = fs.readFileSync(nuspecPath);
+            const nuspec = parser.parse(nuspecXml);
+
+            const nuspecVersion = nuspec && nuspec.package && nuspec.package.metadata && nuspec.package.metadata.version;
+            if (nuspecVersion !== package.version) {
+                fail(`Expected version '${package.version}' but got '${nuspecVersion}' for nuget package '${package.name}'`);
+            }
+
             // copy specific files
             copyGroups(package.cp, packageSource, destRoot);
         }
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -33,6 +33,7 @@
   "devDependencies": {
     "adm-zip": "0.4.13",
     "azure-devops-node-api": "^12.2.0",
+    "fast-xml-parser": "^4.3.6",
     "js-yaml": "^3.13.1",
     "minimatch": "3.0.2",
     "minimist": "^1.2.8",
