NuGet package failing to restore via an Artifactory Mirror

[gjbell]

Describe the bug

The current prelease version for YamlDotNet is 12.0.3-JG-update-readme-0001 (from build 12.0.3-JG-update-readme-0001.794
, pr #696). I believe the capital JG characters in the version name are breaking Artifactory proxying / caching.

---

As this pre-release version has been pushed to NuGet, it now appears via the NuGet API on https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/index.json

Artifactory is now unable to proxy / cache YamlDotNet:

• The NuGet index.json references https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/page/8.0.0/12.0.3-jg-update-readme-0001.json as the URL for the last catalogue page.
• However, Artifactory is trying to download https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/page/8.0.0/12.0.3-JG-update-readme-0001.json with mixed casing instead of a lower case URL. NuGet returns a 404, which Artifactory does not expect resulting in 500 response.

Due to the above, NuGet package restores via Artifactory fail with

NuGet.targets(130,5): error : Response status code does not indicate success: 500 (Internal Server Error)

I appreciate this is a bug with Artifactory, but as a workaround, would it be possible to create a new pre-release version of this package with a lowercase version name?

A similar issue has previously been reported on #584 (comment)

To Reproduce

• Publish a prerelease version with capital characters
• Try to restore YamlDotNet using NuGet CLI + Artifactory

[gjbell]

Here is the latest version of https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/index.json at the time of writing:

{
    "@id": "https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/index.json",
    "@type": [
        "catalog:CatalogRoot",
        "PackageRegistration",
        "catalog:Permalink"
    ],
    "commitId": "4a785530-73fa-424f-8f3d-f8d5ec094df1",
    "commitTimeStamp": "2022-07-13T05:03:32.7754756+00:00",
    "count": 4,
    "items": [
        {
            "@id": "https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/page/2.3.0-rc/3.9.0-pre239.json",
            "@type": "catalog:CatalogPage",
            "commitId": "a86247e0-dc5c-47a4-9c34-517c8086789a",
            "commitTimeStamp": "2021-02-02T12:14:33.9174985+00:00",
            "count": 64,
            "lower": "2.3.0-rc",
            "upper": "3.9.0-pre239"
        },
        {
            "@id": "https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/page/3.9.0-pre240/4.1.1-pre0355.json",
            "@type": "catalog:CatalogPage",
            "commitId": "a86247e0-dc5c-47a4-9c34-517c8086789a",
            "commitTimeStamp": "2021-02-02T12:14:33.9174985+00:00",
            "count": 64,
            "lower": "3.9.0-pre240",
            "upper": "4.1.1-pre0355"
        },
        {
            "@id": "https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/page/4.1.1-pre0356/8.0.0-pre0572.json",
            "@type": "catalog:CatalogPage",
            "commitId": "a86247e0-dc5c-47a4-9c34-517c8086789a",
            "commitTimeStamp": "2021-02-02T12:14:33.9174985+00:00",
            "count": 64,
            "lower": "4.1.1-pre0356",
            "upper": "8.0.0-pre0572"
        },
        {
            "@id": "https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/page/8.0.0/12.0.3-jg-update-readme-0001.json",
            "@type": "catalog:CatalogPage",
            "commitId": "4a785530-73fa-424f-8f3d-f8d5ec094df1",
            "commitTimeStamp": "2022-07-13T05:03:32.7754756+00:00",
            "count": 26,
            "lower": "8.0.0",
            "upper": "12.0.3-JG-update-readme-0001"
        }
    ],
    "@context": {
        "@vocab": "http://schema.nuget.org/schema#",
        "catalog": "http://schema.nuget.org/catalog#",
        "xsd": "http://www.w3.org/2001/XMLSchema#",
        "items": {
            "@id": "catalog:item",
            "@container": "@set"
        },
        "commitTimeStamp": {
            "@id": "catalog:commitTimeStamp",
            "@type": "xsd:dateTime"
        },
        "commitId": {
            "@id": "catalog:commitId"
        },
        "count": {
            "@id": "catalog:count"
        },
        "parent": {
            "@id": "catalog:parent",
            "@type": "@id"
        },
        "tags": {
            "@id": "tag",
            "@container": "@set"
        },
        "reasons": {
            "@container": "@set"
        },
        "packageTargetFrameworks": {
            "@id": "packageTargetFramework",
            "@container": "@set"
        },
        "dependencyGroups": {
            "@id": "dependencyGroup",
            "@container": "@set"
        },
        "dependencies": {
            "@id": "dependency",
            "@container": "@set"
        },
        "packageContent": {
            "@type": "@id"
        },
        "published": {
            "@type": "xsd:dateTime"
        },
        "registration": {
            "@type": "@id"
        }
    }
}

[aaubry]

The release process is automated and the version names are generated using GitVersion. Changing this is not trivial.
The intent of these pre-release versions is to allow specific users to test a branch. Those packages are unlisted so in order to use them one needs to ask specifically for that version.
I don't know why Artifactory is caching unlisted packages, but I don't think it should.

In this case, the pre-release package was created because someone created a branch to edit a readme, which triggered a pre-release build. Why are you trying to use this package?

[EdwardCooke]

I wouldn't recommend using a pre-release version unless you're testing out a specific feature that was in active development prior to being merged. We should be getting a new version of the package containing all of the bug fixes that have been incorporated into the master branch soon.

[gjbell]

Thanks for the quick responses.

In this case, the branch for #696 was called JG-update-readme which generated 12.0.3-JG-update-readme-0001 as the version name.

As far as I can tell, Artifactory is not trying to download 12.0.3-JG-update-readme-0001 as an artifact, it is trying to download the latest NuGet catalogue page (docs) which is https://api.nuget.org/v3/registration5-gz-semver2/yamldotnet/page/8.0.0/12.0.3-jg-update-readme-0001.json according to the index.json.

However, Artifactory is failing to use lower case and is trying to read api.nuget.org/v3/registration5-gz-semver2/yamldotnet/page/8.0.0/12.0.3-**JG**-update-readme-0001.json instead.

It's definitely an issue with Artifactory, but I think creating a new prerelease from an all lowercase branch should workaround the issue.

EDIT: To clarify, this affects package restore of any YamlDotNet version via Artifactory as the catalogue page needs to be read before the artefact is downloaded

[aaubry]

I have opened a PR with a workaround. Incidentally, the branch name is in lowercase, which should fix your issue.

[aaubry]

The package has been released. @gjbell , please check if it is working now. From the NuGet API I see a new link, so it should be fine for now.

[gjbell]

The package has been released. @gjbell , please check if it is working now. From the NuGet API I see a new link, so it should be fine for now.

Amazing. Thank you @aaubry. I can confirm it's working for me on a private Artifactory feed

[aaubry]

The package has been released. @gjbell , please check if it is working now. From the NuGet API I see a new link, so it should be fine for now.

Amazing. Thank you @aaubry. I can confirm it's working for me on a private Artifactory feed

Excellent! As far as I can tell, this will happen again as the name of the release is used in the URL for pagination. Every time a pre-release package in uppercase is at the boundary of a page, there will be URLs that don't work as Artifactory expects. Can we open an issue on Artifactory? They should be following the links that come in the response.

[gjbell]

Excellent! As far as I can tell, this will happen again as the name of the release is used in the URL for pagination. Every time a pre-release package in uppercase is at the boundary of a page, there will be URLs that don't work as Artifactory expects. Can we open an issue on Artifactory? They should be following the links that come in the response.

Fully agree. I'll be raising with Artifactory / JFrog and once I have a public reference I'll share back here.

[aaubry]

It could be argued that NuGet.org also has a bug, because they seem to assume that we never publish two pre-release versions that differ only in case, as that would likely break their pagination. As far as I can tell, there's nothing the SemVer spec that prevents it.

[EdwardCooke]

@gjbell are you ok with me closing this issue now that it's resolved?

[JuergenGutsch]

Ah... That was my fault since I'm only writing my token in capital letters. As a Windows user, I usually don't care. Sorry for that.

[EdwardCooke]

Closing since the problem is solved.