The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
npm audit fails for pre-release version like packagea 1.0.0-alpha-0001
What I Wanted to Do
npm audit should work seamlessly when packages.json has package reference with pre-release versions like
"react": "^16.9.0-" and it is being resolved with
firstname.lastname@example.org in packages-lock.json file.
What Happened Instead
It actually fails to match the versions pattern with packages.json & packages-lock.json and throws below error
npm ERR! code ELOCKVERIFY
npm ERR! Errors were found in your package-lock.json, run npm install to fix them.
npm ERR! Invalid: lock file’s email@example.com does not satisfy react@^16.9.0-
- Clone this repository github npm-audit-semver-prerelease
Attched npm debug log file for more information.
$ npm --versions 6.9.0 $ node -p process.platform win32
It works fine with Yarn
yarn auditbut we don’t want to use just for audit
We are also facing the same issue. Need dashed packages to be allowed for npm audit
I think technically
16.9.0- is not a valid version for semver, as there has to be something after the dash. The format may be tripping up audit although it is working for install.
^16.9.0- did not work when I tried it in the semver calculator: https://semver.npmjs.com
I changed it to
^16.9.0-alpha.0 in the package.json and was then able to run “
npm audit” in your project with no errors.
(Thanks for the github repo)