8000 Fix: Exclude packages without channel metadata from channel-specific feed requests by prpercival · Pull Request #747 · velopack/velopack · GitHub
[go: up one dir, main page]
Skip to content

Fix: Exclude packages without channel metadata from channel-specific feed requests #747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
prpercival wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Fix: Exclude packages without channel metadata from channel-specific feed requests #747

prpercival wants to merge 1 commit into from
+7 −4

Conversation

@prpercival
Copy link
@prpercival prpercival commented Nov 6, 2025

Summary

Fixes an issue where packages without channel metadata (zip.Channel == null) are incorrectly included in channel-specific feed requests. This primarily affects migration scenarios from Clowd.Squirrel where legacy packages lack channel information.

Problem

The current logic in SimpleFileSource.GetReleaseFeed() treats packages without channel metadata as matching any channel:

if (channel == null || zip?.Channel == null || zip?.Channel == channel) {
    list.Add(asset);
}

This means when requesting updates for a specific channel (e.g., "beta"), legacy packages without channel metadata are incorrectly included in the results, potentially causing:

  • Incorrect version detection (e.g., 3.0.111 legacy package appearing in beta feed)
  • Unintended downgrades when AllowVersionDowngrade = true
  • Confusion during Squirrel → Velopack migrations

Solution

Changed the logic to only include packages with explicit channel matches when a specific channel is requested:

// If requesting a specific channel, only include packages explicitly in that channel
if (channel != null && (zip?.Channel == null || zip?.Channel != channel)) {
    logger.Warn($"Skipping local package '{pkg}' because it is not in the '{channel}' channel.");
    continue;
}

// If no specific channel requested (channel == null), include all packages
logger.Debug($"Read package '{pkg}' with version '{asset.Version}' in channel '{zip?.Channel}'.");
list.Add(asset);

Testing

Have not tested locally, but the logic is pretty straightforward.

Breaking Changes

Not sure if there is any background as to why this exists the way it does, would have to have a more active maintainer chime in on any breaking changes.

@prpercival
Fix: Exclude packages without channel metadata from channel-specific …
b32af58 
…requests

When GetReleaseFeed() is called with a specific channel, packages
without channel metadata (Channel == null) are now excluded from
the results. Previously, these packages were included in all
channel-specific requests, causing issues during Squirrel migrations
where legacy packages would appear as valid releases on any channel.

This change ensures that:
- Channel-specific requests only return packages explicitly tagged
  with that channel
- Requests without a specific channel (channel == null) still
  return all packages
- Legacy packages without channel metadata are properly isolated
  from channel-specific update checks

Fixes issue where legacy packages could cause unintended downgrades
when AllowVersionDowngrade is enabled.
@prpercival prpercival mentioned this pull request Nov 6, 2025
Open
@prpercival
Copy link
7696
Author
prpercival commented Nov 6, 2025

Issue for PR: #747

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@prpercival
0