When an npm proxy repository rewrites metadata it seems to set the "latest" dist-tag to the highest semantic version, rather than the "latest" seen on the proxy's remote.
- Create a hosted npm repository with 'allow redeploy', and a proxy of that repository
- Publish 3 versions of a package to the hosted npm repository. I used versions 0.0.1, 0.0.2, and 0.0.3, published in that order
- Fetch the package metadata and all three package tarballs through the proxy.
- Verify that the proxy's metadata has 0.0.3 set as the latest
- Republish version 0.0.2 and delete version 0.0.3 in the hosted repository.
This left me with versions 0.0.2 and 0.0.3 in the hosted repository, with 0.0.2 as the latest.
I expired cache on the proxy, and refetched the metadata.
Version 0.0.3 is seen as the latest in the proxy.
I have attached a complete sonatype-work directory from a 3.19.1 instance that has the hosted and proxy repositories in this state.
Delete the cached package from the proxy repository to force the proxy package metadata to be rebuilt from scratch. Using the UI is one way to do that.