search

yarnpkg / yarn

The 1.x line is frozen - features and bugfixes now happen on https://github.com/yarnpkg/berry
https://classic.yarnpkg.com
Other
41.42k stars 2.72k forks source link

With multiple pre-release tags, yarn upgrades to "latest" tag instead of following semver #6973

Open tomkel opened 5 years ago

tomkel commented 5 years ago

Do you want to request a feature or report a bug?

Bug

What is the current behavior? If I have published a few versions on a package, with the latest tag set to the a pre-release

{ name: 'mydep',
  versions:
   [ '1.0.0-a.0',
     '1.0.0-z.0',
     '0.0.99']
 'dist-tags':
   { latest:
      '1.0.0-a.0' },
}

And the parent package has the version range to include all pre-release tags on 1.0.0

{
  "name": "parent",
  "dependencies": {
    "mydep": ">=1.0.0-a.0 <1.0.0"
  }
}

Yarn will install whatever the latest tag points to.

"mydep@>=1.0.0-a.0 <1.0.0":
  version "1.0.0-a.0"

However, after moving the latest tag npm dist-tag add mydep@0.0.99, rm yarn.lock, and rerunning yarn install, yarn will select the pre-release version lexicographically.

"mydep@>=1.0.0-a.0 <1.0.0":
  version "1.0.0-z.0"

If the current behavior is a bug, please provide the steps to reproduce.

Install verdaccio

What is the expected behavior? https://semver.org/#spec-item-11 Semver spec says that the correct pre-release version should be selected lexicographically.

Nothing in npm semver docs https://docs.npmjs.com/misc/semver

This bug reproduces in npm as well

Please mention your node.js, yarn and operating system version. yarn 1.13, npm 6.7.0, macOS Mojave

nimaloo commented 3 years ago

Any updates on this? I'm having the same issue using yarn 2. When I run yarn up it will update my package.json including pre-released versions.