npm tags in group repositories not correctly resolved

[leabaertschi]

• What problem are you trying to solve?

We have a Nexus 3 with a group npm repositories. In there are the following repositories:

• npm-releases
• npm-snapshots

To npm-releases we only publish packages with tag latest and to npm-snapshots we only publish packages with tag canary. Nevertheless, when accessing the meta data for a package in npm-snapshots, the dist-tags contain the expected canary tag, but also a latest tag with the same version (they are all pre-release versions like 1.3.0-story-4750.3). The metadata in the npm-releases repo correctly only shows a latest tag with the stable version of the latest release. When looking now at the metadata of said package in the group repo it shows the latest and canary tags from npm-snapshots, although npm-releases comes first in the order of repositories.

In my opinion there are two things that don't work as expected:

1. in npm-snapshots there should be no latest tag
2. due to the order of repos the latest tag should not have the version from the npm-snapshots repo

• Do you have a workaround you are using at present? no

• What feature or behavior is this required for? npm install package@latest installs the correct version

• Tell us about your Nexus Repository deployment: what version, operating system, and database are you using? OSS 3.66.0-02 Linux OrientDB

[nblair]

Hi @leabaertschi - thanks for opening an issue. I don't quite understand from your message. When you use the term "tag," are you referring to the Pro tagging feature. If so, as a Pro customer someone from your organization can open a ticket with Sonatype Support.

If it's not in relation to that feature, can you provide a few more specific examples of package names/versions, and what the resulting metadata looks like?

[leabaertschi]

Hi @nblair. I'm talking about npm dist tags. I'll try to explain some more.

Let's say we have a package named MyPackage. While working on it I'm creating a pre release with a version 1.3.0-story-4750.1 so I can use and test it in another project. We publish this package to the npm-snapshots repository with an npm dist-tag canary by executing npm publish --tag canary --registry REGISTRY/npm-snapshots from within MyPackage. If I now look at the metadata for MyPackage I get the following dist-tags:

"dist-tags":{"canary":"1.3.0-story-4750.1","latest":"1.3.0-story-4750.1"}

My expectation is that there is only a canary tag, I never tagged this package with the latest tag.

Now I'm done with my changes and release a proper version 1.3.0 of MyPackage and push that one to npm-releases with an npm dist-tag latest. When looking at the metadata in the npm-releases package, I get a latest dist-tag with version 1.3.0, as expected. If I now however look at the metadata for MyPackage in the group repository (consisting of npm-releases and npm-snapshots in that order), I get again:

"dist-tags":{"canary":"1.3.0-story-4750.1","latest":"1.3.0-story-4750.1"}

Since npm-releases comes first in the order of repositories, I expect to get

"dist-tags":{"canary":"1.3.0-story-4750.1","latest":"1.3.0"}

or

"dist-tags":{"latest":"1.3.0"}

I hope this helps. Let me know if I can provide more information.