`v`-prefix in `package.json` version causes false negative during version comparison

[scraly]

Hi,

I've got an issue. Even if a npm package altready exists with the current version, the gh action wants to publish it again:

npm ERR! 403 403 Forbidden - PUT https://registry.npmjs.org/@xxx%2fxxx - You cannot publish over the previously published versions: 0.34.0.

My GH action:

      - if: ${{ matrix.language == 'nodejs' && env.PUBLISH_NPM == 'true' }}
        uses: JS-DevTools/npm-publish@v2.2.1
        with:
          access: "public"
          token: ${{ env.NPM_TOKEN }}
          package: ${{github.workspace}}/sdk/nodejs/bin/package.json
          provenance: true

I've tried with strategy: upgrade without success.

Thanks

[scraly]

After several tried, the strategy upgrade resolved it... crossed fingers for the next time :)

[mcous]

Hi @scraly, that doesn't sound good. Is this the repository? https://github.com/ovh/pulumi-ovh

If so, I believe the cause is that in your package.json, the version field is v0.34.0. I've always seen the version field without the v, because that's what the npm version command writes.

  {
      "name": "@ovh-devrelteam/pulumi-ovh",
-     "version": "v0.34.0",
+     "version": "0.34.0",

I didn't truthfully know that npm would accept that! But, since node-semver can parse it, npm seems happy. The bug in npm-publish is that it only checks strings in the default strategy. It calls npm info @ovh-devrelteam/pulumi-ovh and receives 0.34.0 from npm. Since 0.34.0 !== v0.34.0 (from npm and the package.json, respectively), it tries to publish.

The reason strategy: upgrade works is because in the upgrade strategy, we pass both versions into node-semver to compare them