"jq" is version 1.6-r0 while it should be 1.6 according to APKBUILD
Hi guys,
when installing "jq" (https://pkgs.alpinelinux.org/package/v3.11/main/x86/jq) , its version is 1.6**-r0** according to apk, but it should be 1.6:
λ docker run -it --entrypoint=/bin/sh alpine:3.11
/ # jq -version
/bin/sh: jq: not found
/ # apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
v3.11.5-27-gdd7e83db96 [http://dl-cdn.alpinelinux.org/alpine/v3.11/main]
v3.11.5-25-g9f05c49f12 [http://dl-cdn.alpinelinux.org/alpine/v3.11/community]
OK: 11268 distinct packages available
/ # apk add jq
(1/2) Installing oniguruma (6.9.4-r0)
(2/2) Installing jq (1.6-r0)
Executing busybox-1.31.1-r9.trigger
OK: 7 MiB in 16 packages
When in reality, it is 1.6, no "r0" or "rc1" or such:
https://build.alpinelinux.org/buildlogs/build-3-11-x86_64/main/jq/jq-1.6-r0.log
...
>>> jq: Fetching https://github.com/stedolan/jq/archive/jq-1.6.tar.gz
>>> jq: Checking sha512sums...
jq-1.6.tar.gz: OK
>>> jq: Unpacking /var/cache/distfiles/v3.11/jq-1.6.tar.gz...
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'config'.
...
Last time it was touched to change its version was 2018-11 https://git.alpinelinux.org/aports/commit/main/jq/APKBUILD?id=0504e43ce9142e23dbf4a29127461ac3b501d584
It is rather nitpicky, but some automated vulnurability scans pick up "jq has a CVE in 1.5, upgrade to at least 1.6" and the 1.6_xx is registered as non-compliant. Such as this: https://github.com/aquasecurity/trivy/issues/245
Seeing that it was updated to "1.6" happened to 2018, something seems fishy with what apk is picking up as the latest version.
Cheers Dennis