search

rogeriochaves / npm-force-resolutions

Force npm to install a specific transitive dependency version
567 stars 28 forks source link

Invalid Version: >=5.1.1 #56

Open createthis opened 2 years ago

createthis commented 2 years ago

I'm using npm-force-resolutions@0.0.10 with node v16.14.0 and npm 8.3.1. I'm randomly seeing errors pop up, like:

Invalid Version: >=5.1.1

When this happens, I have no choice but to hunt for that string in my package.json (I always find it in the resolutions section), remove the >=, then perform this sequence to rebuild my package-lock.json:

rm package-lock.json
npm shrinkwrap
mv npm-shrinkwrap.json package-lock.json
npm install

Sometimes even that won't work. In these cases I have to go a step further:

rm -Rf node_modules
npm install

In this case, it was dot-prop's version causing the issue, but I've also had this problem with:

... and others.

This is very time consuming and frustrating, not to mention inefficient, having to restrict the version to a specific version instead of a range of versions.

Here's the full stack trace from /Users/jesse/.npm/_logs/2022-03-09T14_49_52_526Z-debug-0.log:

Screen Shot 2022-03-09 at 9 51 59 AM

This never used to happen with node v14.18.3, npm 8.3.1, and npm-force-resolutions@6.0.0. I would continue using npm-force-resolutions@6.0.0, but it doesn't appear to work with npm@8; my npm audit security vulnerabilities persist when I use 0.0.6 with npm@8.

createthis commented 2 years ago

@rogeriochaves FYI ^

mshah-aiondigital commented 2 years ago

Facing similar problem with node 16.14 and npm 8.5 with other packages. The installation fails with similar error for axios package:

Invalid version: ^0.26.1

jithinktom commented 2 years ago

I am facing the same issue with node 16.15.1 and npm 8.11.0

44 verbose stack TypeError: Invalid Version: ^6.11.3 44 verbose stack at new SemVer (/Users/jithinktom/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/semver/classes/semver.js:38:13) 44 verbose stack at compare (/Users/jithinktom/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/semver/functions/compare.js:3:32) 44 verbose stack at Object.gte (/Users/jithinktom/.nvm/versions/node/v16.15.1/lib/node_modules/npm/node_modules/semver/functions/gte.js:2:30)

amenella commented 2 years ago

spotted this issue with node v16.15.1 and npm version > 8.5 (8.6, 8.7, 8.8, 8.9, 8.10, 8.11, 8.12)

  "resolutions": {
    "glob-parent": ">=5.1.2"
  },

also tried with ^5.1.2 syntax which is failing too

amenella commented 2 years ago

just found that since npm 8.3, the official way to handle vulnerabilities of subdependencies with npm is to use the overrides attributes: