fix: replace hashicorp/go-version with golang.org/x/mod/semver (#532)

* fix: replace hashicorp/go-version with golang.org/x/mod/semver

The hashicorp/go-version package uses an MPL-2.0 license that triggers
Snyk license policy violations. Replace it with golang.org/x/mod/semver
(BSD-3-Clause) which is already a direct dependency.

* fix: include invalid value in semver error messages

Author: mwbrooks

go.mod

@@ -11,7 +11,6 @@ require (
 	github.com/cli/safeexec v1.0.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3
-	github.com/hashicorp/go-version v1.9.0
 	github.com/joho/godotenv v1.5.1
 	github.com/kyokomi/emoji/v2 v2.2.13
 	github.com/logrusorgru/aurora/v4 v4.0.0
@@ -303,6 +302,7 @@ require (
 	github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
+	github.com/hashicorp/go-version v1.9.0 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/hexops/gotextdiff v1.0.3 // indirect

internal/update/semver.go

@@ -15,32 +15,44 @@
 package update
 
 import (
-	"github.com/hashicorp/go-version"
+	"golang.org/x/mod/semver"
+
 	"github.com/slackapi/slack-cli/internal/slackerror"
 )
 
 // SemVerGreaterThan returns true if release is greater than current
 func SemVerGreaterThan(release string, current string) (bool, error) {
-	releaseVersion, err := version.NewVersion(release)
-	if err != nil {
-		return false, slackerror.New(slackerror.ErrInvalidSemVer).WithRootCause(err)
+	r := ensureVPrefix(release)
+	c := ensureVPrefix(current)
+	if !semver.IsValid(r) {
+		return false, slackerror.New(slackerror.ErrInvalidSemVer).
+			WithMessage("Value %s is not a semantic version", release)
 	}
-	currentVersion, err := version.NewVersion(current)
-	if err != nil {
-		return false, slackerror.New(slackerror.ErrInvalidSemVer).WithRootCause(err)
+	if !semver.IsValid(c) {
+		return false, slackerror.New(slackerror.ErrInvalidSemVer).
+			WithMessage("Value %s is not a semantic version", current)
 	}
-	return releaseVersion.GreaterThan(currentVersion), nil
+	return semver.Compare(r, c) > 0, nil
 }
 
 // SemVerLessThan returns true if release is less than current
 func SemVerLessThan(release string, current string) (bool, error) {
-	releaseVersion, err := version.NewVersion(release)
-	if err != nil {
-		return false, slackerror.New(slackerror.ErrInvalidSemVer).WithRootCause(err)
+	r := ensureVPrefix(release)
+	c := ensureVPrefix(current)
+	if !semver.IsValid(r) {
+		return false, slackerror.New(slackerror.ErrInvalidSemVer).
+			WithMessage("Value %s is not a semantic version", release)
+	}
+	if !semver.IsValid(c) {
+		return false, slackerror.New(slackerror.ErrInvalidSemVer).
+			WithMessage("Value %s is not a semantic version", current)
 	}
-	currentVersion, err := version.NewVersion(current)
-	if err != nil {
-		return false, slackerror.New(slackerror.ErrInvalidSemVer).WithRootCause(err)
+	return semver.Compare(r, c) < 0, nil
+}
+
+func ensureVPrefix(v string) string {
+	if len(v) > 0 && v[0] != 'v' {
+		return "v" + v
 	}
-	return releaseVersion.LessThan(currentVersion), nil
+	return v
 }

test/testutil/testutil.go

@@ -17,19 +17,21 @@ package testutil
 import (
 	"regexp"
 
-	"github.com/hashicorp/go-version"
 	"github.com/slackapi/slack-cli/internal/iostreams"
 	"github.com/spf13/cobra"
+	"golang.org/x/mod/semver"
 )
 
 // package + .test for root command
 var rootName string = "cmd.test"
 
 // ContainsSemVer checks if a string contains valid semver
 func ContainsSemVer(s string) bool {
-	matcher := regexp.MustCompile(version.SemverRegexpRaw)
-	match := matcher.MatchString(s)
-	return match
+	if semver.IsValid("v"+s) || semver.IsValid(s) {
+		return true
+	}
+	matcher := regexp.MustCompile(`[0-9]+\.[0-9]+\.[0-9]+`)
+	return matcher.MatchString(s)
 }
 
 // Set the command's IOStream to the mocked IOStream