Fix invalid Composer version strings by retlehs · Pull Request #18 · roots/wp-packages

retlehs · 2026-03-16T15:46:09Z

Summary

Tighten version validation regex to only allow Composer-compatible pre-release
suffixes (alpha, beta, rc, dev, stable, etc). Rejects invalid forms
like -dev1, -free, and trailing-dot prereleases (e.g. -beta.) that trigger
Composer Invalid version string errors.
Add defense-in-depth NormalizeVersions() call in the builder so stale DB rows
with invalid versions never reach p/ or p2/ artifacts.
Expand test coverage with 50 cases including the reported bug (3.1.0-dev1),
trailing-dot edge cases, and samples from the Wordfence invalid version corpus.

Closes #17

Test plan

go test ./... passes
Local single-package rebuild of wp-plugin/elementor strips all 87 -devN
versions while preserving all valid versions
After deploy: run update + build + deploy artifacts to purge invalid
versions from production metadata

🤖 Generated with Claude Code

Tighten version validation regex to only allow Composer-compatible pre-release suffixes (alpha, beta, rc, etc). The previous regex accepted -dev1 and similar non-Composer suffixes which Composer's VersionParser rejects. Add defense-in-depth filtering in the builder so stale DB rows with invalid versions can't reach artifacts. Closes #17 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

retlehs · 2026-03-16T15:49:16Z

Affected packages: 98 packages with 386 invalid versions

Package	Invalid versions
`plugin/51degrees-optimize-by-device-location`	`4.2.0-improvements.26`
`plugin/accordions`	`2.2.97-readme`
`plugin/aforms-form-builder-for-price-calculator-cost-estimation`	`1.2.5-2`, `1.2.7-2`
`plugin/all-post-listing-block`	`1.1.0-2`
`plugin/antispam-for-elementor-forms`	`2.1.0-1`
`plugin/attribute-stock-for-woocommerce`	`1.3.0-1`
`plugin/automatic-translate-addon-for-translatepress`	`2-2`
`plugin/avify`	`1.1.2-fix`
`plugin/bitid-authentication`	`0.0.2-20140705`, `0.0.3-20140710`, `0.0.4-20140710`, `1.0.0-20151004`, `1.0.1-20180505`
`plugin/blob-mimes`	`0.5.3-0`
`plugin/broken-link-checker`	`0.4-i8n`
`plugin/california-state-grants`	`2.0.3-readme`
`plugin/canalblog-importer`	`1.5.0-2`, `1.5.1-1`, `1.6.1-1`, `1.6.5-1`, `1.6.5-2`, `1.6.5-3`
`plugin/carbonbadge-block`	`1.3.3-test`
`plugin/cardcrafter-data-grids`	`1.3.2-hotfix`, `1.4.1-release`
`plugin/chatbot-chatgpt`	`2.4.3-bad`
`plugin/cherry-picker`	`1.2.3-comp`
`plugin/cleantalk-spam-protect`	`2.50-profiling`, `4.24-j`, `5.25-devel`, `5.27-classes`, `5.27-options`, `5.28-debug`
`plugin/click-pledge-connect`	`02.1912000103-WP5.3.1`, `02.2002000200-WP5.3.2`, `02.2101000000-WP5.6`, `02.2112000000-WP5.8.2`, `02.2112010000-WP5.8.2`, `02.2301020000-WP6.1.1`, `2.23110000-WP6.4.1`, `2.24080000-WP6.6.1`, `2.24120000-WP6.7.1`, `25.04010101-WP6.8`, `25.07000000-WP6.8.1`, `25.07000001-WP6.8.1`, `25.07000002-WP6.8.2`, `25.09000000-WP6.8.2`
`plugin/clip-for-woocommerce`	`1.2.2-1`
`plugin/create-user-from-guest-order`	`1.0.2-1`
`plugin/dblocks-youtube-lazyload`	`1.0.0-0`
`plugin/digital-license-manager`	`1.8.3-test`
`plugin/disable-remove-google-fonts`	`1.5.3-push`, `1.6.4-tested`
`plugin/document-library-lite`	`1.0.5-1`
`plugin/elementor`	`3.1.0-dev1`, `3.1.0-dev2`, `3.1.0-dev3`, `3.10.0-dev1`, `3.11.0-dev1`, `3.11.0-dev2`, `3.11.0-dev3`, `3.13.0-dev3`, `3.13.0-dev4`, `3.16.0-dev1`, `3.16.0-dev2`, `3.17.0-dev2`, `3.17.0-dev3`, `3.17.0-dev4`, `3.18.0-dev1`, `3.19.0-dev1`, `3.19.0-dev2`, `3.19.0-dev3`, `3.19.0-dev4`, `3.19.0-dev5`, `3.19.0-dev6`, `3.20.0-dev1`, `3.20.0-dev2`, `3.20.0-dev3`, `3.20.0-dev4`, `3.21.0-dev1`, `3.21.0-dev2`, `3.21.0-dev3`, `3.22.0-dev1`, `3.22.0-dev2`, `3.22.0-dev3`, `3.22.0-dev4`, `3.22.0-dev5`, `3.22.0-dev6`, `3.23.0-dev1`, `3.23.0-dev2`, `3.23.0-dev3`, `3.23.0-dev4`, `3.23.0-dev5`, `3.23.0-dev6`, `3.24.0-dev1`, `3.24.0-dev2`, `3.24.0-dev3`, `3.25.0-dev1`, `3.25.0-dev2`, `3.25.0-dev3`, `3.26.0-dev1`, `3.26.0-dev2`, `3.26.0-dev3`, `3.26.0-dev4`, `3.26.0-dev5`, `3.27.0-dev1`, `3.27.0-dev2`, `3.28.0-dev1`, `3.28.0-dev2`, `3.28.0-dev3`, `3.29.0-dev1`, `3.29.0-dev2`, `3.29.0-dev3`, `3.29.0-dev4`, `3.30.0-dev1`, `3.30.0-dev2`, `3.30.0-dev3`, `3.31.0-dev1`, `3.31.0-dev2`, `3.32.0-dev1`, `3.32.0-dev2`, `3.32.0-dev3`, `3.33.0-dev1`, `3.33.0-dev2`, `3.33.0-dev3`, `3.33.0-dev4`, `3.34.0-dev1`, `3.34.0-dev2`, `3.35.0-dev1`, `3.35.0-dev2`, `3.35.0-dev3`, `3.35.0-dev4`, `3.4.0-dev7`, `3.4.0-dev8`, `3.4.0-dev9`, `3.5.0-dev8`, `3.5.0-dev9`, `3.6.0-dev1`, `3.6.0-dev10`, `3.7.0-dev1`
`plugin/fattura24`	`8.0.27-fix`
`plugin/folding-stats-plus`	`1.9-pre`
`plugin/font-awesome`	`5.2.0-1`
`plugin/force-delete-posts`	`1.1.1-5.2.2`, `1.1.2-WP5.6.1`
`plugin/formassembly-web-forms`	`2.0.4-assets`, `2.0.5-assets`, `2.0.7-assets`
`plugin/fullworks-anti-spam`	`2.5.1-free`
`plugin/genesis-style-select`	`0-7`
`plugin/gift-up`	`2.19.2-1`
`plugin/gleap`	`13.0.3-hotfix`
`plugin/imajinn-ai`	`1.0.1-1`
`plugin/internet-connection-status`	`1.4.3-post`
`plugin/ivrita`	`0.1.2-fix`
`plugin/ivyforms`	`0.6.1-backup`
`plugin/kadence-blocks`	`3.6.1-naming`
`plugin/lava-real-estate-manager`	`1.0.3-part2`
`plugin/lazy-loading-and-navigation`	`1.0.0-runner`
`plugin/lifterlms`	`5.4.0-testing.1`
`plugin/like-dislike-for-wp`	`1.3.1-Release`
`plugin/lj-xp`	`2.0.5-r43`, `2.0.5-r51`, `2.0.5-r53`
`plugin/mailpoet`	`3.0.0-beta.23.1`, `3.0.0-beta.23.2`, `3.0.0-beta.33.1`, `3.0.0-beta.34.0.0`, `3.0.0-beta.36.0.0`, `3.0.0-beta.36.0.1`, `3.0.0-beta.36.2.0`, `3.0.0-beta.36.3.0`, `3.0.0-beta.36.3.1`, `3.0.0-beta.37.0.0`, `3.0.0-beta.7.1`, `3.0.0-rc.1.0.0`, `3.0.0-rc.1.0.1`, `3.0.0-rc.1.0.2`, `3.0.0-rc.1.0.3`, `3.0.0-rc.1.0.4`, `3.0.0-rc.2.0.0`, `3.0.0-rc.2.0.1`, `3.0.0-rc.2.0.2`, `3.0.0-rc.2.0.3`
`plugin/mesomb-for-woocommerce`	`1.2.5-2`
`plugin/modern-images-wp`	`1.1.0-release`
`plugin/my-appeal`	`2.1.0-0`, `2.1.0-1`, `2.1.0-2`, `2.1.0-3`, `2.1.0-4`
`plugin/ochatbot-and-ometrics-conversion-optimization-tools`	`1.2.01-1`
`plugin/old-post-warning`	`0.2-20251107`, `0.2-20251128`
`plugin/olympus-google-fonts`	`3.3.5-fix`, `3.3.7-compat`, `3.3.8-fix`
`plugin/open-web-analytics`	`2.0.0-fix`
`plugin/order-delivery-date-for-woocommerce`	`3.17.1-1`
`plugin/orderstorm-e-commerce`	`2.0.1-2017.01.13`, `2.0.2-2017.01.17`
`plugin/orderstorm-wordpress-e-commerce`	`0.4.8-2011.08.19`, `0.4.8.1-2011.08.19`, `0.4.8.2-2011.08.21`, `0.4.9-2011.08.23`, `0.4.9.1-2011.09.16`, `0.4.9.10-2011.10.29`, `0.4.9.2-2011.10.17`, `0.4.9.3-2011.10.21`, `0.4.9.4-2011.10.24`, `0.4.9.5-2011.10.24`, `0.4.9.6-2011.10.26`, `0.4.9.7-2011.10.26`, `0.4.9.8-2011.10.27`, `0.4.9.9-2011.10.28`, `0.5-2011.12.14`, `0.5.0.1-2011.12.21`, `0.5.0.2-2011.12.29`, `0.5.0.2-2012.01.10`, `0.5.1-2012.01.24`, `0.5.2-2012.02.28`, `0.5.3-2012.02.29`, `0.5.3.1-2012.03.01`, `0.5.3.2-2012.05.07`, `0.5.3.3-2012.05.23`, `0.5.4-2012.06.09`, `0.5.4.1-2012.06.11`, `0.5.5-2012.07.07`, `0.5.5.1-2012.07.11`, `0.5.5.2-2012.07.17`, `0.5.6-2012.07.19`, `0.5.6.1-2012.07.20`, `0.5.6.2-2012.07.21`, `0.5.6.3-2012.07.25`, `0.5.6.4-2012.07.25`, `0.5.7-2012.08.13`, `0.5.7.1-2012.08.14`, `0.5.7.2-2012.10.07`, `0.5.7.3-2012.10.08`, `0.5.7.4-2012.12.17`, `0.5.7.5-2013.01.22`, `0.5.7.6-2013.02.01`, `0.6-2013.03.18`, `0.6.0.1-2013.03.18`, `0.6.0.2-2013.03.19`, `0.6.0.3-2013.04.22`, `0.6.1-2013.05.29`, `0.6.2-2013.06.08`, `0.6.2.1-2013.06.12`, `1.0-2015.09.29`, `1.0.1-2015.09.30`, `1.0.10-2015.12.29`, `1.0.11-2016.01.06`, `1.0.12-2016.01.08`, `1.0.13-2016.01.11`, `1.0.13.1-2016.01.11`, `1.0.14-2016.01.27`, `1.0.15-2016.01.29`, `1.0.16-2016.02.01`, `1.0.17-2016.04.06`, `1.0.2-2015.09.30`, `1.0.3-2015.10.02`, `1.0.4-2015.10.23`, `1.0.5-2015.10.29`, `1.0.6-2015.11.04`, `1.0.7-2015.12.18`, `1.0.8-2015.12.22`, `1.0.9-2015.12.23`
`plugin/orderstorm-wordpress-e-commerce-custom`	`0.4.9.10-2011.11.23`, `0.5.0.2-2011.12.29`, `0.5.2-2012.02.28`, `0.5.3.1-2012.03.01`, `0.5.3.2-2012.05.07`, `0.5.4-2012.06.09`, `0.5.5-2012.07.07`, `0.5.7-2012.08.13`, `0.6.1-2013.05.29`, `0.6.2-2013.06.08`, `1.0-2015.09.29`, `1.0.10-2015.12.29`, `1.0.11-2016.01.06`, `1.0.12-2016.01.08`, `1.0.13-2016.01.11`, `1.0.14-2016.01.27`, `1.0.3-2015.10.02`, `1.0.4-2015.10.23`, `1.0.5-2015.10.29`, `1.0.6-2015.11.04`, `1.0.7-2015.12.18`, `1.0.9-2015.12.23`
`plugin/orderstorm-wordpress-toolbox`	`0.1-2011.11.26`, `0.1-2011.12.9`, `0.2-2012.07.11`
`plugin/ownerrez`	`1.2.5-1`
`plugin/photo-collage`	`0.5.3-test`
`plugin/post-expirator`	`3.4.4-hotfix.932`
`plugin/posts-data-table`	`1.3.1-v2`
`plugin/privatepost`	`1.1-WP2.3Compatible`
`plugin/reepay-checkout-gateway`	`1.1.17-2`, `1.2.5-1`, `1.2.6-2`
`plugin/related-posts-on-404-page`	`1.0-initial`, `1.3-new`
`plugin/reposition-thumnails`	`0.0.3-20130820`
`plugin/rest-api`	`2.0-beta12.1`, `2.0-beta13.1`, `2.0-beta3.1`, `2.0-beta4.1`, `2.0-beta5.1`, `2.0-beta6.1`, `2.0-beta7.1`, `2.0-beta8.1`, `2.0-beta9.1`
`plugin/scriblio`	`2.7-r1`, `2.7-r2`, `2.7-r3`, `2.7-r4`, `2.9-r1`, `2.9-r2`
`plugin/scriblio-schema-marcish`	`2.9-r1`, `2.9-r1.1`
`plugin/section-widget`	`3.0-lite`, `3.0.1-lite`, `3.0.2-lite`, `3.0.3-lite`, `3.0.4-lite`
`plugin/seel-worry-free-purchase`	`1.0.4-hotfix`
`plugin/simple-podcasting`	`1.2.3-deploy`
`plugin/simple-tags`	`1.7.1-rc1.2`
`plugin/sisanu-site-deployment`	`0.1-alfa`
`plugin/smartpay`	`2.4.1-stable2`
`plugin/swipecart`	`2.8.6-staging`
`plugin/sympose`	`1.3.2.1-c`, `1.3.2.1-e`
`plugin/taboola-push-notification`	`5.3.5-updated`
`plugin/tidio-live-chat`	`6.0.18-fix`
`plugin/tweet-old-post`	`6.8.4-back`
`plugin/ubigeo-peru`	`4.7-1`
`plugin/univapay-for-wc`	`0.4.4-1`
`plugin/uptodown-apk-download-widget`	`0.1.4-2`
`plugin/url-params`	`2.5-review`
`plugin/usc-e-shop`	`2.2.5-1`
`plugin/vault-docs`	`0.9.0-2`
`plugin/vbpress`	`0.1.0-2`
`plugin/woo-mynix-braintree`	`0.1-15`, `0.1-16`, `0.1-17`, `0.1-18`, `0.1-19`, `0.1-22`, `0.2-1`, `0.2-1.1`
`plugin/woo-payment-bkash`	`3.0.0-readme`, `3.0.0-version`
`plugin/woocommerce-gateway-paytpv`	`2.0.1-R`
`plugin/woolab-ic-dic`	`1.8.2-alfa`
`plugin/wp-mybackup`	`0.2.2-3`, `0.2.2-4`, `0.2.3-27`, `0.2.3-3`, `0.2.3-30`, `0.2.3-31`, `0.2.3-32`, `0.2.3-33`, `0.2.3-34`, `0.2.3-35`, `0.2.3-37`, `1.0-2`, `1.0-3`
`plugin/wp-mycarousel`	`0.1-10`, `0.1-7`, `0.1-8`, `0.1-9`
`plugin/wp-zff-zend-framework-full`	`1.10.3-1`, `1.10.4-1`, `1.10.5-1`, `1.11.11-1`, `1.11.12-1`, `1.11.2-1`, `1.11.2-2`
`plugin/wpgraphql-acf`	`2.0.0-beta.7.0.0`
`plugin/wpsupervisor-client`	`1.1.8-2`, `1.1.9-1`
`plugin/yummy-cookies`	`1.0.1-1`
`plugin/zu-contact`	`1.0.8-wp`

rvola · 2026-03-16T16:02:59Z

thanks @retlehs 🙌

retlehs self-assigned this Mar 16, 2026

retlehs changed the title ~~Fix invalid Composer version strings (#17)~~ Fix invalid Composer version strings Mar 16, 2026

Format

fcb7eec

retlehs merged commit 97bfe95 into main Mar 16, 2026
6 checks passed

retlehs deleted the composer-version-validation branch March 16, 2026 15:53

retlehs mentioned this pull request Mar 16, 2026

Fix dev-trunk regression and accept v-prefixed versions #20

Merged

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix invalid Composer version strings#18

Fix invalid Composer version strings#18
retlehs merged 2 commits intomainfrom
composer-version-validation

retlehs commented Mar 16, 2026

Uh oh!

retlehs commented Mar 16, 2026

Uh oh!

Uh oh!

rvola commented Mar 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

retlehs commented Mar 16, 2026

Summary

Test plan

Uh oh!

retlehs commented Mar 16, 2026

Uh oh!

Uh oh!

rvola commented Mar 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants