Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-16312

Metadata for NPM group considers pre-release version higher than actual version

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.8.0
    • Fix Version/s: 3.14.0
    • Component/s: NPM
    • Labels:
    • Story Points:
      3

      Description

      https://semver.org/#spec-item-11 it says: 
      Example: 1.0.0-alpha < 1.0.0-alpha.1 < 1.0.0-alpha.beta < 1.0.0-beta < 1.0.0-beta.2 < 1.0.0-beta.11 < 1.0.0-rc.1 < 1.0.0. 
      So, semantic versioning considers anything with “-” a prerelease so 1.0.0-SNAPSHOT is considered prerelease and 1.0.0 is bigger than 1.0.0-SNAPSHOT.

      1) Upload a package to hosted npm repo npm-snapshot with version 1.0.0-SNAPSHOT

      2) Upload a package to hosted npm repo npm-release with version 1.0.0.

      For repo npm-snapshot 1.0.0-SNAPSHOT is latest

      For repo npm-release 1.0.0 is latest

      3) Look at the group metadata, you will notice that it sets 1.0.0-SNAPSHOT as the latest

      {
        "description": "MKS Testing", 
        "dist-tags": {
          "latest": "1.0.0-SNAPSHOT"
        }, 
        "maintainers": [
          {
            "email": "mks@example.com", 
            "name": "admin"
          }
        ], 
        "name": "testdeploy", 
        "readme": "ERROR: No README data found!", 
        "time": {
          "1.0.0": "2018-02-22T15:19:01.131Z", 
          "1.0.0-SNAPSHOT": "2018-02-22T15:17:09.441Z", 
          "created": "2018-02-22T15:19:01.131Z", 
          "modified": "2018-02-22T15:19:01.131Z"
        }, 
      

       

      "npm install testdeploy"  from group repo will return 1.0.0-SNAPSHOT, as 1.0.0-SNAPSHOT set as latest.

      Even if look at the deploy times 1.0.0 is deployed later than 1.0.0-SNAPSHOT.

      So there may be some issue with npm group logic on picking which version should be latest as there is a latest tag on each member npm repos.

       

      A workaround is do a "npm install package@*" which will exclude prereleases.

        Attachments

          Activity

            People

            Assignee:
            mdodgson Mark Dodgson
            Reporter:
            msurani Mahendra Surani
            Last Updated By:
            Peter Lynch
            Team:
            Nexus - Formats
            Votes:
            3 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title