Updater does not fully check for compatible versions of apps

[Bockeman]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• Nextcloud Server is running on 64bit capable CPU, PHP and OS.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

I've run into several problems over many NC upgrades. When updater.phar updates NC it also updates all enabled apps to the latest version. There does not appear to be any check that the latest version of any app is compatible with the latest version of NC.

Some examples:
nextcloud/cms_pico#227
newroco/emlviewer#47

Steps to reproduce

1. Select Beta for NC update versions
2. CLI updater.phar
3. Observe various errors or stack dumps

Expected behavior

updater.phar should not update an app that is incompatible with the NC update version

Installation method

Other Community project

Operating system

Other

PHP engine version

PHP 8.1

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Updated to a major version (ex. 22.2.3 to 23.0.1)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "veriserve.co.uk",
            "www.veriserve.co.uk",
            "82.38.154.248"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "25.0.2.2",
        "overwrite.cli.url": "http:\/\/www.veriserve.co.uk",
        "overwriteprotocol": "https",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_smtpmode": "sendmail",
        "mail_sendmailmode": "smtp",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "htaccess.RewriteBase": "\/verivault",
        "maintenance": false,
        "theme": "veritheme",
        "loglevel": 0,
        "filesystem_check_changes": 1,
        "sqlite.journal_mode": "DELETE",
        "trashbin_retention_obligation": "auto,5",
        "versions_retention_obligation": "auto,5",
        "default_phone_region": "GB",
        "updater.release.channel": "beta",
        "localstorage.allowsymlinks": true,
        "app_install_overwrite": [
            "cms_pico"
        ]
    }
}

List of activated Apps

Enabled:
  - activity: 2.17.0
  - bookmarks: 11.0.4
  - calendar: 4.1.0
  - cloud_federation_api: 1.8.0
  - cms_pico: 1.0.21
  - comments: 1.15.0
  - dashboard: 7.5.0
  - dav: 1.24.0
  - federatedfilesharing: 1.15.0
  - files: 1.20.1
  - files_pdfviewer: 2.6.0
  - files_rightclick: 1.4.0
  - files_sharing: 1.17.0
  - firstrunwizard: 2.14.0
  - logreader: 2.10.0
  - lookup_server_connector: 1.13.0
  - nextcloud_announcements: 1.14.0
  - notifications: 2.13.1
  - oauth2: 1.13.0
  - password_policy: 1.15.0
  - passwords: 2022.12.20
  - photos: 2.0.1
  - privacy: 1.9.0
  - provisioning_api: 1.15.0
  - related_resources: 1.0.3
  - serverinfo: 1.15.0
  - settings: 1.7.0
  - sharebymail: 1.15.0
  - support: 1.8.0
  - survey_client: 1.13.0
  - theming: 2.0.1
  - twofactor_backupcodes: 1.14.0
  - updatenotification: 1.15.0
  - user_status: 1.5.0
  - viewer: 1.9.0
  - workflowengine: 2.7.0
Disabled:
  - admin_audit
  - apporder: 0.15.0
  - bruteforcesettings
  - circles: 23.1.0
  - cms_pico_1.1.0-beta.1
  - contactsinteraction: 1.4.0
  - emlviewer: 1.0.2
  - encryption
  - end_to_end_encryption: 1.11.0-beta.1
  - external: 5.0.0
  - federation: 1.13.0
  - files_external
  - files_trashbin: 1.13.0
  - files_versions: 1.16.0
  - forms: 3.0.1
  - login_notes: 1.1.0
  - ocr: 6.0.58
  - recommendations: 1.2.0
  - suspicious_login
  - systemtags: 1.13.0
  - text: 3.4.1
  - twofactor_totp
  - user_ldap
  - weather_status: 1.3.0

Nextcloud Signing status

No response

Nextcloud Logs

No response

Additional info

CLI Installation and many upgrades
OS = Fedora 37

[bbx-github]

This is maybe a duplicate of #241

[Bockeman]

@bbx-github thanks for your possible link to #241
#241 was closed as fixed two years ago.
Evidence
nextcloud/cms_pico#227
newroco/emlviewer#47
shows that there is still a problem here, whether or not related to #241

[joshtrichards]

When updater.phar updates NC it also updates all enabled apps to the latest version. There does not appear to be any check that the latest version of any app is compatible with the latest version of NC.

Technically the updater.phar doesn't update apps at all, but I understand what you're getting at. It triggers occ upgrade at the end, which does deploy db and app upgrades.

Your config looks to be the cause of at least part of this:

        "updater.release.channel": "beta",
[...]
        "app_install_overwrite": [
            "cms_pico"
        ]

• Any apps listed in app_install_overwrite have been force enabled. All compatibility checks are inherently bypassed for force enabled apps. You have cms_pico listed there.
• The updater.release.channel being set to beta means you get offered pre-release apps from the store if their info.xml says they're compatible

Also, since cms_pico is mentioned:

• The v1.1.0-beta.1 listed (and downloadable) in the app store is definitely not permitted for >v23. And it matches its branch in their repo (and I double-checked the max-version there too). However, their master branch (which I believe @PhrozenByte warns not to use) has an info.xml that also reports itself as v1.1.0-beta.1 and has a higher max-version set. Is it possible you installed that and/or did it from outside the app store?
• Do note thatgit installed (i.e. manually deployed outside of the app store) apps IIRC also have special handling. I believe they bypass too, but I'd have to re-look at the code