npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm audit fails for pre-release version like packagea 1.0.0-alpha-0001

What I Wanted to Do

npm audit should work seamlessly when packages.json has package reference with pre-release versions like"react": "^16.9.0-" and it is being resolved with react@16.9.0-alpha.0 in packages-lock.json file.

What Happened Instead

It actually fails to match the versions pattern with packages.json & packages-lock.json and throws below error

npm ERR! code ELOCKVERIFY
npm ERR! Errors were found in your package-lock.json, run npm install to fix them.
npm ERR! Invalid: lock file’s react@16.9.0-alpha.0 does not satisfy react@^16.9.0-

Reproduction Steps

  1. Clone this repository github npm-audit-semver-prerelease
  2. Do npm install
  3. Run npm audit

Details

Attched npm debug log file for more information.

Platform Info

$ npm --versions
6.9.0
$ node -p process.platform
win32

It works fine with Yarn yarn audit but we don’t want to use just for audit :frowning:


We are also facing the same issue. Need dashed packages to be allowed for npm audit


I think technically 16.9.0- is not a valid version for semver, as there has to be something after the dash. The format may be tripping up audit although it is working for install.

See https://semver.org/#spec-item-9

^16.9.0- did not work when I tried it in the semver calculator: https://semver.npmjs.com

I changed it to ^16.9.0-alpha.0 in the package.json and was then able to run “npm audit” in your project with no errors.

(Thanks for the github repo)