Open phryneas opened 1 month ago
This is a subtle one. npm itself includes the latest
tag when choosing a version from a range to determine what version to install.
If today you were to set your dependencies like this:
npm pkg set dependencies.react="^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0"
And then ran npm install
you would get 18.3.1
in your tree, because that is what is tagged as latest
currently. If the latest
version is in the acceptable range, it is always used.
$ npm view react dist-tags.latest
18.3.1
The website is showing you all the versions npm would consider given that range. I'm not sure this is the right thing to do, especially as there is no indication on the page that it is taking that into consideration, nor is it trying to tell you what npm would install. npm also includes other things like engines
and os
to determine what versions it can install, and this page doesn't take any of that into consideration.
We'll leave this open to track what to do here. As of now at least you know why it's doing this.
Since the latest tag is mutable, i think the current behavior is ideal but perhaps it could use a sentence or two of prose explanation.
In our case it would be a peerDependency
- is it safe to assume that if the user would specify a React 19 RC as a direct dependency while installing our package, npm/semver
would honor that and not install react@latest
on top?
Yes I believe that's what would happen. The latest
is picked in the absence of an extant version in the tree. If the extant version satisfies the semver range it is kept, regadless of the latest
tag. To put it another way, this logic that looks for latest
is only employed when there is not a version of the package already in the tree.
(This example assumes install-links
is set to true
)
~/D/s/p/sub $ npm pkg set peerDependencies.react="^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0"
~/D/s/p/sub $ cd ..
~/D/s/peerdeps $ npm i ./sub --install-links=true
added 4 packages, and audited 5 packages in 1s
found 0 vulnerabilities
~/D/s/peerdeps $ npm ls react
@gar/peer-deps-test@1.0.0 /Users/wraithgar/Development/scratch/peerdeps
└─┬ @gar/sub-dep-test@1.0.0
└── react@18.3.1
~/D/s/peerdeps $ npm pkg set dependencies.react="^19.0.0-rc"
~/D/s/peerdeps $ npm i
removed 2 packages, changed 1 package, and audited 3 packages in 784ms
found 0 vulnerabilities
~/D/s/peerdeps $ npm ls react
@gar/peer-deps-test@1.0.0 /Users/wraithgar/Development/scratch/peerdeps
├─┬ @gar/sub-dep-test@1.0.0
│ └── react@19.0.0-rc-fb9a90fa48-20240614 deduped
└── react@19.0.0-rc-fb9a90fa48-20240614
Okay, that helps a lot - thank you :)
Is there an existing issue for this?
Current Behavior
This is not a bug with the
semver
package, but with https://semver.npmjs.com/I couldn't find any better place to report this, so I hope I'm right here or the maintainers know where I can report this correctly.
Currently, if you go to https://semver.npmjs.com/ and search for
^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0
, it misses all React 19 RCs in the results.Expected Behavior
Irritatingly, when removing
^18.0.0
from that list, it gives a result that seems correctSteps To Reproduce
go to https://semver.npmjs.com/ and search for
^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0
Environment
Firefox