"jq" is version 1.6-r0 while it should be 1.6 according to APKBUILD
when installing "jq" (https://pkgs.alpinelinux.org/package/v3.11/main/x86/jq) , its version is 1.6**-r0** according to apk, but it should be 1.6:
λ docker run -it --entrypoint=/bin/sh alpine:3.11 / # jq -version /bin/sh: jq: not found / # apk update fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz v3.11.5-27-gdd7e83db96 [http://dl-cdn.alpinelinux.org/alpine/v3.11/main] v3.11.5-25-g9f05c49f12 [http://dl-cdn.alpinelinux.org/alpine/v3.11/community] OK: 11268 distinct packages available / # apk add jq (1/2) Installing oniguruma (6.9.4-r0) (2/2) Installing jq (1.6-r0) Executing busybox-1.31.1-r9.trigger OK: 7 MiB in 16 packages
When in reality, it is 1.6, no "r0" or "rc1" or such:
... >>> jq: Fetching https://github.com/stedolan/jq/archive/jq-1.6.tar.gz >>> jq: Checking sha512sums... jq-1.6.tar.gz: OK >>> jq: Unpacking /var/cache/distfiles/v3.11/jq-1.6.tar.gz... libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'config'. ...
Last time it was touched to change its version was 2018-11 https://git.alpinelinux.org/aports/commit/main/jq/APKBUILD?id=0504e43ce9142e23dbf4a29127461ac3b501d584
It is rather nitpicky, but some automated vulnurability scans pick up "jq has a CVE in 1.5, upgrade to at least 1.6" and the 1.6_xx is registered as non-compliant. Such as this: https://github.com/aquasecurity/trivy/issues/245
Seeing that it was updated to "1.6" happened to 2018, something seems fishy with what apk is picking up as the latest version.