Summary
Surge currently accepts version strings that are not strictly valid Semantic Versioning 2.0 in several Rust and .NET paths. The managed wrapper also exposes release/app versions as raw strings instead of a typed semantic-version API.
Problem
- Rust release-manifest and update flows do not enforce strict SemVer 2.0 parsing everywhere.
- Release-index delta metadata can carry invalid
from_version values.
- Installer manifests and runtime metadata accept loosely formatted versions.
Surge.NET exposes version values as string, which makes invalid values easy to pass through application code.- Release tooling validates only a narrow prerelease pattern instead of SemVer 2.0.
Proposed change
- Enforce strict SemVer 2.0 parsing, canonicalization, and precedence ordering across Rust release/update/install flows.
- Reject invalid release versions and invalid delta base versions at manifest boundaries.
- Add a typed
SemVersion API to Surge.NET for library, app, release, and lifecycle callback versions.
- Vendor a SemVer 2.0 implementation into
dotnet/Surge.NET from a widely used MIT-licensed source, including upstream license attribution and coverage in the local test suite.
- Tighten release-version scripting to accept full SemVer 2.0 syntax, including build metadata.
Acceptance criteria
- Invalid version strings such as
1, 1.2, 01.2.3, 1.2.3-01, and whitespace-padded values are rejected.
- Version precedence matches SemVer 2.0 examples and ignores build metadata.
- Delta descriptors always record a valid semantic
from_version.
Surge.NET exposes semantic versions as a typed API and has unit coverage for strict parsing and precedence behavior.- Local validation passes:
./scripts/sync-surge-core-vendor.sh --check./scripts/check-version-sync.shcargo fmt --all -- --checkRUSTFLAGS="-D warnings" cargo test --workspacecargo clippy --all-targets --all-features -- -D warningscargo clippy --workspace --lib --bins --examples -- -D warnings -D clippy::unwrap_used -D clippy::expect_usedcargo clippy --workspace --all-targets --all-features -- -D warnings -W clippy::pedanticdotnet format dotnet/Surge.slnx --verify-no-changesdotnet test dotnet/Surge.slnx --configuration Release
Source candidate
Use the MIT-licensed WalkerCodeRanger/semver implementation as the managed SemVer source base, vendored with attribution under dotnet/Surge.NET.
Summary
Surge currently accepts version strings that are not strictly valid Semantic Versioning 2.0 in several Rust and .NET paths. The managed wrapper also exposes release/app versions as raw strings instead of a typed semantic-version API.
Problem
from_versionvalues.Surge.NETexposes version values asstring, which makes invalid values easy to pass through application code.Proposed change
SemVersionAPI toSurge.NETfor library, app, release, and lifecycle callback versions.dotnet/Surge.NETfrom a widely used MIT-licensed source, including upstream license attribution and coverage in the local test suite.Acceptance criteria
1,1.2,01.2.3,1.2.3-01, and whitespace-padded values are rejected.from_version.Surge.NETexposes semantic versions as a typed API and has unit coverage for strict parsing and precedence behavior../scripts/sync-surge-core-vendor.sh --check./scripts/check-version-sync.shcargo fmt --all -- --checkRUSTFLAGS="-D warnings" cargo test --workspacecargo clippy --all-targets --all-features -- -D warningscargo clippy --workspace --lib --bins --examples -- -D warnings -D clippy::unwrap_used -D clippy::expect_usedcargo clippy --workspace --all-targets --all-features -- -D warnings -W clippy::pedanticdotnet format dotnet/Surge.slnx --verify-no-changesdotnet test dotnet/Surge.slnx --configuration ReleaseSource candidate
Use the MIT-licensed
WalkerCodeRanger/semverimplementation as the managed SemVer source base, vendored with attribution underdotnet/Surge.NET.