Previously ( v1.52.1 ) npm projects using lockfile v2 and above that had dependencies that uses the "npm dist-tags" feature were able to be scanned by this library.
Since then thie npm lockfile v2 parsing code has been iterated upon, fixing a number of bugs. Unfortunately one of these bugs was masking the fact we did not support dist-tags as it was just choosing a version that matched the name. Once semver checks were added, these dist-tags version started to fail to be found which caused parsing to error out.
To fix this I have skipped just the semver part of the resolution algorithm if the version provided is not valid semver, i.e. if it is a dist-tag. The algorithm then continues to look through potential parents to find a node that would satisfy - note that in complicated dep trees, there may be some ambiguity to the node that should be used for the tag - but this is desirable over failure in the larger case.
What this does
Previously (
v1.52.1
) npm projects using lockfile v2 and above that had dependencies that uses the "npm dist-tags" feature were able to be scanned by this library.Since then thie npm lockfile v2 parsing code has been iterated upon, fixing a number of bugs. Unfortunately one of these bugs was masking the fact we did not support
dist-tags
as it was just choosing a version that matched the name. Once semver checks were added, thesedist-tags
version started to fail to be found which caused parsing to error out.To fix this I have skipped just the semver part of the resolution algorithm if the version provided is not valid semver, i.e. if it is a dist-tag. The algorithm then continues to look through potential parents to find a node that would satisfy - note that in complicated dep trees, there may be some ambiguity to the node that should be used for the tag - but this is desirable over failure in the larger case.