Bug Report

Description

The dependency version validation logic incorrectly reports valid dependency versions as invalid when they exist as backport releases or earlier releases that are not the latest.

Example

In PRhttps://github.com/keycardlabs/pkg-oapi-common/pull/25#discussion_r2248812465, the analysis incorrectly reported thatgithub.com/matoous/go-nanoid/v2 v2.1.0 was invalid because v2.1.0 was not the latest release. However, v2.1.0 is a valid release that exists athttps://github.com/matoous/go-nanoid/releases/tag/v2.1.0.

Root Cause

The validation logic usesgh api repos/owner/repo/releases/latest which only returns the most recent release, rather than checking for the specific version being used.

Expected Behavior

The validation should check for the specific version being used in the dependency, not just compare against the latest release.

Suggested Fix

Usegh api repos/owner/repo/releases/tags/{version} to check if the specific version exists, or list all releases and search for the target version.

Impact

This causes false positive errors in code reviews, leading to unnecessary confusion and incorrect suggestions to users.

Reporter

Reported by@seriousben in the context of reviewing go.mod dependency additions.

Backlinks

• PR:https://github.com/keycardlabs/pkg-oapi-common/pull/25
• Comment:https://github.com/keycardlabs/pkg-oapi-common/pull/25#discussion_r2248812465