src/Control/ConsumerSubmitControl.php has
'version' => '/^\d{1,3}(\.\d{1,2}){0,2}(-(dev|alpha|beta))?$/',
Seems better if we can just use composer/semver to validate rather than wheel reinvention?
See also T277388: OAuth doesn't validate length of oarc_version (CVE-2021-31555)