npm audit fails for pre-release version like packagea 1.0.0-alpha-0001

What I Wanted to Do

npm audit should work seamlessly when packages.json has package reference with pre-release versions like"react": "^16.9.0-" and it is being resolved with react@16.9.0-alpha.0 in packages-lock.json file.

What Happened Instead

It actually fails to match the versions pattern with packages.json & packages-lock.json and throws below error

npm ERR! Errors were found in your package-lock.json, run npm install to fix them.
npm ERR! Invalid: lock file’s react@16.9.0-alpha.0 does not satisfy react@^16.9.0-

Reproduction Steps

  1. Clone this repository github npm-audit-semver-prerelease
  2. Do npm install
  3. Run npm audit


Attched npm debug log file for more information.

Platform Info

$ npm --versions
$ node -p process.platform

It works fine with Yarn yarn audit but we don’t want to use just for audit :frowning:

We are also facing the same issue. Need dashed packages to be allowed for npm audit

I think technically 16.9.0- is not a valid version for semver, as there has to be something after the dash. The format may be tripping up audit although it is working for install.


^16.9.0- did not work when I tried it in the semver calculator:

I changed it to ^16.9.0-alpha.0 in the package.json and was then able to run “npm audit” in your project with no errors.

(Thanks for the github repo)

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.