Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-31970

npm group dist-tags endpoint merges duplicate npm tagged versions using highest semantic version instead of first group member resolved version

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.37.3
    • Fix Version/s: 3.41.0
    • Component/s: NPM
    • Labels:
    • Story Points:
      3
    • Sprint:
      NXRM MadMax Sprint 36, NXRM MadMax Sprint 37
    • Notability:
      3

      Description

      With this npm repo structure:

      npm-group
      - npm-hosted-1
      - npm-hosted-2
      

      Deploy a package named test with version 1.0.0-beta tagged as beta:

      npm publish --registry=http://localhost:8081/repository/npm-hosted-1/ --tag=beta
      

      Deploy a package named test with version 2.0.0-beta tagged as beta:

      npm publish --registry=http://localhost:8081/repository/npm-hosted-2/ --tag=beta
      

      Deploy a package named test with version 2.0.0 as latest implict tag:

      npm publish --registry=http://localhost:8081/repository/npm-hosted-2/ 
      

      Check what the view command reports for dist tags against the group repo:

      npm --registry=http://localhost:8081/repository/npm-group/ view test
      

      It should report the following AS EXPECTED ( excerpt):

      ...
      
      dist-tags:
      beta: 1.0.0-beta  latest: 2.0.0
      ...
      

      Try npm install of the beta tag against the group:

      npm install --registry=http://localhost:8081/repository/npm-group/ --tag="beta" test
      

      This should install 1.0.0-beta AS EXPECTED

      Problem

      Now ask what the dist-tags are for this package against the group:

      npm --registry=http://localhost:8081/repository/npm-group/ dist-tags test

      NOT EXPECTED

      beta: 2.0.0-beta
      latest: 2.0.0
      

      Current Broken Behaviour: Gather all tags of the same package and merge them.
      When a duplicate tag is found in two or more repos ( that are any other tag than the implicit "latest" tag),
      choose the tagged version that is the highest semantic version.

      Expected

      When executing a dist-tag command against a group repo, search all group members for occurrences
      of the same package and merge all npm dist-tags - however when a duplicate tag is found ( that is not latest),
      resolve it against the version in the first group repo member in descending order ( like view command and install does ).

        Attachments

          Activity

            People

            Assignee:
            iudovika Igor Udovika
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Igor Udovika Igor Udovika
            Team:
            NXRM - Mad Max
            Owner:
            Vladimir Grab Vladimir Grab
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title