Error updating an npm tagged version

[ImRodry]

Package ecosystem npm

Package manager version 7.15.0

Language version Node v14.17.0

Manifest location and content prior to update package.json and package-lock.json

dependabot.yml content https://github.com/Hypixel-Translators/hypixel-translators-bot/blob/master/.github/dependabot.yml

Updated dependency discord.js@dev

What you expected to see, versus what you actually saw I expected the dependency to be updated to the latest version with the @dev tag, just like the one that was installed. Instead, dependabot tried to install one that was 8 days old and kept insisting that that was the latest version after I recreated the PR and re-ran the check

Native package manager behavior The latest version with the @dev tag is installed

Images of the diff or a link to the PR, issue or logs PR: https://github.com/Hypixel-Translators/hypixel-translators-bot/pull/349 Logs for this dependency: Versions on the NPM website: https://www.npmjs.com/package/discord.js?activeTab=versions

🕹 Bonus points: Smallest manifest that reproduces the issue

{
  "name": "test",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "MIT",
  "dependencies": {
    "discord.js": "^13.0.0-dev.e980948de55e91e59c9e3293ac76bc645a058a53"
  }
}

This is a preview of a basic package.json that should be able to reproduce the issue.

[jurre]

@ImRodry I'm trying to reproduce this, but it seems like this may have already been resolved:

bin/dry-run.rb npm_and_yarn Hypixel-Translators/hypixel-translators-bot --dep=discord.js --commit=df7ff88cc96f1bf57d70ca6f9b318349f6917ee2
warning: parser/current is loading parser/ruby26, which recognizes
warning: 2.6.7-compliant syntax, but you are running 2.6.6.
warning: please see https://github.com/whitequark/parser#compatibility-with-ruby-mri.
=> fetching dependency files
=> dumping fetched dependency files: ./dry-run/Hypixel-Translators/hypixel-translators-bot/
=> parsing dependency files
=> updating 1 dependencies: discord.js

=== discord.js (13.0.0-dev.e980948de55e91e59c9e3293ac76bc645a058a53)
 => checking for updates 1/1
 => latest available version is 13.0.0-dev.918921e8211fc16e9b12d2502f3168264246ea22
 => latest allowed version is 13.0.0-dev.918921e8211fc16e9b12d2502f3168264246ea22
 => requirements to unlock: own
 => requirements update strategy: bump_versions
 => updating discord.js from 13.0.0-dev.e980948de55e91e59c9e3293ac76bc645a058a53 to 13.0.0-dev.918921e8211fc16e9b12d2502f3168264246ea22

    ± package.json
    ~~~
    20c20
    <     "discord.js": "^13.0.0-dev.e980948de55e91e59c9e3293ac76bc645a058a53",
    ---
    >     "discord.js": "^13.0.0-dev.918921e8211fc16e9b12d2502f3168264246ea22",
    ~~~

This seems to be the latest version currently released on npm:

We've since upgraded our npm/arborist dependencies, so these may have included a fix. I'm going to close this out, but feel free to ping us if you run into this again.

[ImRodry]

@jurre these versions work off of commit hashes. The only reason it worked for you is because the latest version (at the time you tried to run this) was one where the commit hash started with a 9, which was bigger than the previous one which started with a 7. Due to this, these versions no longer update after that one so I think this should be reopened. Despite that, this is the same behavior that is seen with npm update so I’m not sure if you can do much here.

[jurre]

Ah right, thanks for clarifying. In that case there's really no way for us (or npm) to know which sha comes later in that case I'm afraid :(

Could we ask the discord.js maintainers to choose a different versioning scheme for those dev releases? If it was a date or a incrementing number that'd work.

[ImRodry]

Yeah I believe I asked @iCrawl at some point about this and he said that it wouldn’t be worth it as these releases weren’t meant to last long. I believe that they could improve that system in a way that the version number is always increasing to prevent issues like this, if they do decide to release more dev versions after v13. Thank you for your explanation!