Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] wrong results on semver.npmjs.com #729

Open
1 task done
phryneas opened this issue Jul 12, 2024 · 5 comments
Open
1 task done

[BUG] wrong results on semver.npmjs.com #729

phryneas opened this issue Jul 12, 2024 · 5 comments
Labels
Bug thing that needs fixing Priority 2 will get attention when we're freed up

Comments

@phryneas
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

This is not a bug with the semver package, but with https://semver.npmjs.com/

I couldn't find any better place to report this, so I hope I'm right here or the maintainers know where I can report this correctly.

Currently, if you go to https://semver.npmjs.com/ and search for ^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0, it misses all React 19 RCs in the results.
image

Expected Behavior

Irritatingly, when removing ^18.0.0 from that list, it gives a result that seems correct

image

Steps To Reproduce

go to https://semver.npmjs.com/ and search for ^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0

Environment

Firefox

@phryneas phryneas added Bug thing that needs fixing Needs Triage needs an initial review labels Jul 12, 2024
@wraithgar wraithgar added Priority 2 will get attention when we're freed up and removed Needs Triage needs an initial review labels Jul 12, 2024
@wraithgar
Copy link
Member

wraithgar commented Jul 12, 2024

This is a subtle one. npm itself includes the latest tag when choosing a version from a range to determine what version to install.

If today you were to set your dependencies like this:

npm pkg set dependencies.react="^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0"

And then ran npm install you would get 18.3.1 in your tree, because that is what is tagged as latest currently. If the latest version is in the acceptable range, it is always used.

$ npm view react dist-tags.latest
18.3.1

The website is showing you all the versions npm would consider given that range. I'm not sure this is the right thing to do, especially as there is no indication on the page that it is taking that into consideration, nor is it trying to tell you what npm would install. npm also includes other things like engines and os to determine what versions it can install, and this page doesn't take any of that into consideration.

We'll leave this open to track what to do here. As of now at least you know why it's doing this.

@ljharb
Copy link

ljharb commented Jul 12, 2024

Since the latest tag is mutable, i think the current behavior is ideal but perhaps it could use a sentence or two of prose explanation.

@phryneas
Copy link
Author

phryneas commented Jul 12, 2024

In our case it would be a peerDependency - is it safe to assume that if the user would specify a React 19 RC as a direct dependency while installing our package, npm/semver would honor that and not install react@latest on top?

@wraithgar
Copy link
Member

Yes I believe that's what would happen. The latest is picked in the absence of an extant version in the tree. If the extant version satisfies the semver range it is kept, regadless of the latest tag. To put it another way, this logic that looks for latest is only employed when there is not a version of the package already in the tree.

(This example assumes install-links is set to true)

~/D/s/p/sub $ npm pkg set peerDependencies.react="^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0"
~/D/s/p/sub $ cd ..
~/D/s/peerdeps $ npm i ./sub --install-links=true

added 4 packages, and audited 5 packages in 1s

found 0 vulnerabilities
~/D/s/peerdeps $ npm ls react
@gar/peer-deps-test@1.0.0 /Users/wraithgar/Development/scratch/peerdeps
└─┬ @gar/sub-dep-test@1.0.0
  └── react@18.3.1

~/D/s/peerdeps $ npm pkg set dependencies.react="^19.0.0-rc"
~/D/s/peerdeps $ npm i

removed 2 packages, changed 1 package, and audited 3 packages in 784ms

found 0 vulnerabilities
~/D/s/peerdeps $ npm ls react
@gar/peer-deps-test@1.0.0 /Users/wraithgar/Development/scratch/peerdeps
├─┬ @gar/sub-dep-test@1.0.0
│ └── react@19.0.0-rc-fb9a90fa48-20240614 deduped
└── react@19.0.0-rc-fb9a90fa48-20240614

@phryneas
Copy link
Author

Okay, that helps a lot - thank you :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Priority 2 will get attention when we're freed up
Projects
None yet
Development

No branches or pull requests

3 participants