Open createthis opened 2 years ago
@rogeriochaves FYI ^
Facing similar problem with node 16.14 and npm 8.5 with other packages. The installation fails with similar error for axios package:
Invalid version: ^0.26.1
I am facing the same issue with node 16.15.1 and npm 8.11.0
44 verbose stack TypeError: Invalid Version: ^6.11.3 44 verbose stack at new SemVer (/Users/jithinktom/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/semver/classes/semver.js:38:13) 44 verbose stack at compare (/Users/jithinktom/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/semver/functions/compare.js:3:32) 44 verbose stack at Object.gte (/Users/jithinktom/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/semver/functions/gte.js:2:30)
spotted this issue with node v16.15.1 and npm version > 8.5 (8.6, 8.7, 8.8, 8.9, 8.10, 8.11, 8.12)
"resolutions": {
"glob-parent": ">=5.1.2"
},
also tried with ^5.1.2
syntax which is failing too
just found that since npm 8.3, the official way to handle vulnerabilities of subdependencies with npm is to use the overrides
attributes:
I'm using
npm-force-resolutions@0.0.10
with nodev16.14.0
and npm8.3.1
. I'm randomly seeing errors pop up, like:Invalid Version: >=5.1.1
When this happens, I have no choice but to hunt for that string in my
package.json
(I always find it in theresolutions
section), remove the>=
, then perform this sequence to rebuild mypackage-lock.json
:Sometimes even that won't work. In these cases I have to go a step further:
In this case, it was
dot-prop
's version causing the issue, but I've also had this problem with:lodash
mem
terser-webpack-plugin
ansi-regex
postcss
... and others.
This is very time consuming and frustrating, not to mention inefficient, having to restrict the version to a specific version instead of a range of versions.
Here's the full stack trace from
/Users/jesse/.npm/_logs/2022-03-09T14_49_52_526Z-debug-0.log
:This never used to happen with node
v14.18.3
, npm8.3.1
, andnpm-force-resolutions@6.0.0
. I would continue usingnpm-force-resolutions@6.0.0
, but it doesn't appear to work withnpm@8
; mynpm audit
security vulnerabilities persist when I use0.0.6
withnpm@8
.