When uploading to Nuget, the SemVer version might be invalid

[RoguePointer80]

Describe the bug
The current format is <version>-<hash>, but the hash might start with a leading 0, which is illegal syntax under SemVer 2.0.0.
For example, if the package is named 1.73.0-0eee625fae7ef2f8964954575ab351ff5916ae83, it would be parsed as Version "1.73.0" and pre-release info "0eee625fae7ef2f8964954575ab351ff5916ae83", but the leading 0 is invalid here since this is not a numeric identifier. See the full spec here.

Environment

• OS: Windows 10
• Compiler: msvc 19.28.29333

To Reproduce
Steps to reproduce the behavior:

1. Configure binary caching on Nuget server
2. vcpkg install (any package)
3. after compilation, package is pushed to Nuget server
4. Open up a browser and navigate to your Nuget server's package search page. Look for the package just uploaded.
   Notice that the UI (I'm using Baget server) is all weird, because of Node's semver library unable to parse the versions correctly.

Expected behavior
The version of the nuget package should be a valid SemVer string. One way to achieve that would be to simply prepend a non-digit in front of the hash, like "1.73.0-h0eee625fae7ef2f8964954575ab351ff5916ae83"

Failure logs
I had to create a sandboxed Node.js project to verify all this, so I don't have a failure log to provide.

Additional context
Why does vcpkg chose to use "pre-release information" to store the hash? It would be more semantically correct to use "build metadata", since this is exactly what this hash represents: the complete information about the build environment. But one has to consider the implication about version precedence: the pre-release info is part of the precedence, while build metadata is not. However I would argue that since it is a hash, and thus randomly distributed, the ordering is already broken, and it would be better to just remove that hash from the ordering.

[RoguePointer80]

I can provide a PR for this, but I'd like to know what you think about "pre-release info" vs "build metadata"

[strega-nil]

I don't believe this is invalid syntax under the BNF, however it does point to an invalid syntax... I'll post it here for ease of referral (translated to EBNF for ease of understanding):

valid_semver = version_core , [ "-" , pre_release ] , [ "+" , build ] ;

version_core = major, ".", minor, ".", patch ;
major = numeric_identifier ;
minor = numeric_identifier ;
patch = numeric_identifier ;

pre_release = pre_release_identifier , { "." , pre_release_identifer } ;
pre_release_identifier =
| alphanumeric_identifier
| numeric_identifier ;

build = build_identifier , { "." , build_identifier } ;
build_identifier =
| alphanumeric_identifier
| { digit } ;

alphanumeric_identifier =
| non_digit , { identifier_character }
| { identifier_character } , non_digit
| { identifier_character } , non_digit , { identifier_character } ;

numeric_identifier =
| "0"
| positive_digit, { digit } ;

identifier_character = digit | non_digit ;
non_digit = letter | "-" ;
digit = "0" | positive_digit ;

positive_digit = "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" ;

letter =
| "A" | "B" | "C" | "D" | "E" | "F" | "G" | "H" | "I" | "J"
| "K" | "L" | "M" | "N" | "O" | "P" | "Q" | "R" | "S" | "T"
| "U" | "V" | "W" | "X" | "Y" | "Z"
| "a" | "b" | "c" | "d" | "e" | "f" | "g" | "h" | "i" | "j"
| "k" | "l" | "m" | "n" | "o" | "p" | "q" | "r" | "s" | "t"
| "u" | "v" | "w" | "x" | "y" | "z" ;

Given that there will never be dots in a hash, we are going to ignore pre_release, and just look at pre_release_identifier. First, we should notice that it's either an alphanumeric_identifier or a numeric_identifier. We should consider the alphanumeric_identifier first, since it's going to be the most common for hashes:

alphanumeric_identifier =
| non_digit , { identifier_character }
| { identifier_character } , non_digit
| { identifier_character } , non_digit , { identifier_character } ;

What this means is that, as long as we have a non-digit (letter or -), we can have any sequence of identifier characters otherwise. Identifier characters do include 0, so this is not an issue.

However, what happens when there are no alphabetic characters in a hash? Yes, it's unlikely, but it is possible. Then, this would be a numeric_identifier, which doesn't allow leading zero. Therefore, this is a problem!

I agree with the solution you provided, of moving the hash to the build metadata. I think it's totally reasonable, and fixes both of the problems you've talked about, since { digit } is a valid build identifier.

As a fun fact, as I was researching this, I noticed that - is an identifier character... so:

1.0.0----------------------------------------------------------------------------

is a completely valid semver.

[sipsorcery]

I'm also attempting to use nuget.org as a package repository for binary caching. In my case the package push gets rejected due to an invalid version.

Pushing zeromq_x86-windows.nupkg to 'https://www.nuget.org/api/v2/package'...
  PUT https://www.nuget.org/api/v2/package/
  BadRequest https://www.nuget.org/api/v2/package/ 4340ms
Response status code does not indicate success: 400 (The NuGet package contains an invalid .nuspec file. The error encountered was: 'The package manifest contains an invalid Version: '2019.9.20-285306c2872c2896752d128f574c281067e4bddb''. Correct the error and try again.).

[strega-nil]

@sipsorcery good to know, so Nuget's implementation of semver is broken.

cc @ras0219 to fix this?

[frivard-coveo]

So it seems both NPM's library of SemVer and Nuget.org (unknown library) don't handle a pre-release identifier starting with a digit.
I will work on a PR that changes the pre-release to build metadata.

[frivard-coveo]

After some testing with build metadata, it is not such a good idea after all, since the file created by nuget pack does not contain build metadata, only the major, minor and patch version. Therefore a change in only the ABI would not work since the nuget package would have the same file name, and the GET on the nuget server would return another package.
I will instead implement the other solution of prefixing "hash" to the pre-release info.