Node.js packages are published with an incorrect version format because of the leading v

[WaldoJeffers]

What is the issue Most Node.js packages published on npm (under the @pulumi scope) are published with a v prefix in their version (as in v4.4.4), which has 2 drawbacks: 1/ Although npm unexpectedly allows it, I think it's not valid, since the version field is supposed to follow the semver convention (which doesn't allow for a leading v). Source: npm documentation 2/ It confuses many tools used to report (& update) out of date dependencies. For example, in the attached screenshot, the npm outdated command reports Pulumi dependencies as outdated although they are not, which I think (but not 100% certain) is caused by the v prefix

see the last 2 lines

What I would expect npm packages should be published without the leading v in the version field of the package.json file ~"version": "v3.10.1"~ => "version": "3.10.1"

How to fix the issue I think this line: sed -i.bak -e "s/\$${VERSION}/$(VERSION)/g" ./bin/package.json found in the following files:

• https://github.com/pulumi/ci-mgmt/blob/fcb7c182f656c01472041b572bd9291e9e041d30/provider-ci/blocked-providers/vault/repo/Makefile#L60
• https://github.com/pulumi/ci-mgmt/blob/fcb7c182f656c01472041b572bd9291e9e041d30/provider-ci/internal/pkg/templates/bridged-provider/Makefile#L72
• https://github.com/pulumi/ci-mgmt/blob/fcb7c182f656c01472041b572bd9291e9e041d30/provider-ci/test-workflows/aws/Makefile#L62
• https://github.com/pulumi/ci-mgmt/blob/fcb7c182f656c01472041b572bd9291e9e041d30/provider-ci/test-workflows/docker/Makefile#L61
• https://github.com/pulumi/ci-mgmt/blob/fcb7c182f656c01472041b572bd9291e9e041d30/provider-ci/test-workflows/cloudflare/Makefile#L61
• https://github.com/pulumi/ci-mgmt/blob/fcb7c182f656c01472041b572bd9291e9e041d30/provider-ci/blocked-providers/vault/repo/Makefile#L60

is responsible for the issue, but I don't know which file should be modified The line should probably be changed to something like: sed -i.bak -e "s/\$${VERSION}/${$(VERSION)/v/}/g" ./bin/package.json although I'm not too sure about the syntax, so please don't take this at face value (I don't use sed very often).

Additional remarks This issue has already been identified (at least partially) because some of these packages have the following comment in their getVersion utility function: https://github.com/pulumi/pulumi-random/blob/18c6c96091184ed1d8d47860b6ee20b4094f0b14/sdk/nodejs/utilities.ts#L43 However, this does not seem to be used to generate the actual string in the package.json file.

Native Providers

• [ ] aws-apigateway
• [ ] aws-native
• [ ] awsx
• [ ] azure-native
• [ ] command
• [ ] eks
• [ ] google-native
• [ ] kubernetes

Bridged Providers

Tier 1

• [ ] aws
• [x] gcp
• [ ] azure
• [ ] azuread

Tier 2

• [ ] aiven
• [ ] akamai
• [ ] alicloud
• [ ] archive
• [ ] artifactory
• [ ] auth0
• [ ] azuredevops
• [ ] civo
• [ ] cloudamqp
• [ ] cloudflare
• [ ] cloudinit
• [ ] confluentcloud
• [ ] consul
• [ ] databricks
• [ ] datadog
• [ ] digitalocean
• [ ] dnsimple
• [x] docker
• [ ] ec
• [ ] external
• [ ] f5bigip
• [ ] fastly
• [ ] github
• [ ] gitlab
• [ ] hcloud
• [ ] http
• [ ] kafka
• [ ] keycloak
• [ ] kong
• [ ] libvirt
• [ ] linode
• [ ] local
• [ ] mailgun
• [ ] minio
• [ ] mongodbatlas
• [ ] mysql
• [ ] newrelic
• [ ] nomad
• [ ] ns1
• [ ] null
• [ ] oci
• [ ] okta
• [ ] onelogin
• [ ] openstack
• [ ] opsgenie
• [ ] pagerduty
• [ ] postgresql
• [ ] rabbitmq
• [ ] rancher2
• [x] random
• [ ] rke
• [ ] signalfx
• [ ] slack
• [ ] snowflake
• [ ] splunk
• [ ] spotinst
• [ ] sumologic
• [ ] tailscale
• [ ] tls
• [ ] vault
• [ ] venafi
• [ ] vsphere
• [ ] wavefront

[mikhailshilkov]

@WaldoJeffers Thank you for noticing this. A naive question - looking at e.g. https://www.npmjs.com/package/@pulumi/aws or https://www.npmjs.com/package/@pulumi/docker - how do I see whether it has a "v" or not?

[WaldoJeffers]

Hello @mikhailshilkov , Thanks for your reply.

That's actually not a naive question at all! It also puzzled me since the UI on npmjs.com seems to strip any potential leading v character in the displayed version "box". Here are 2 ways to see if whether it is there or not:

• you could simply install the package using npm, in an empty repo:

  mkdir test_repo && cd test_repo
  npm init -f
  npm install @pulumi/docker
  cat node_modules/@pulumi/docker/package.json

  This will print the actual content of the package.json file in your terminal, and you should be able to have to a good look at the version field.

• Another way is to browse through the Code tab on the package's page on npmjs.com. You should be able to find the package.json file and inspect it directly in your browser (although the feature is marked as being in "beta" so I don't know if it's been released to 100% users at the moment). Here's a screenshot:

I really have no idea why they let users publish package with non-semver compatible versions though :/ I've definitely had my doubts and made the same mistake in the past.

Let me know how that works for you :)