Previously if this parser saw a version specifier like npm:something@^1.0.0 this whole specifier was used as the version in the depgraph. This is a bit disingenuous as we should be able to resolve the version this actually gets resolved to using the lockfile. This behavior also causes downstream issues in the Snyk CLI.
Now these versions will attempt to be resolved to just the final version range in the specifier.
What this does
Previously if this parser saw a version specifier like
npm:something@^1.0.0
this whole specifier was used as the version in the depgraph. This is a bit disingenuous as we should be able to resolve the version this actually gets resolved to using the lockfile. This behavior also causes downstream issues in the Snyk CLI.Now these versions will attempt to be resolved to just the final version range in the specifier.