npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Prevent accidental backwards publishing of latest

npm’s current behaviour is that any stable semver that’s published without an explicit tag will become latest. This is non-intuitive to many and leads to situations such as:

I think this problem could be prevented if npm publish is enhanced to detect if a publish would result in “lower” semver latest version and either (a) warns the user via CLI feedback, like with OTP, or (b) rejects the publish with an error message, and the user has to run it with a --tag, e.g. npm publish --tag latest if they really do with to roll back latest, or npm publish --tag 1.x for example if they wish to avoid this accident.

Or in summary:

Omg YES! I cannot tell you how many times in the early days of npm where I’ve accidentally ran into the third scenario you’ve described. I’ve since learned but I’m sure this is likely to happen to plenty of others. And the worse part is that once the mistake happens, the publisher wont immediately notice the unintended behavior until its too late. I cant think of any reason why a publisher would ever want an older version of a package marked as latest.

Further, setting dist-tag seems to lag quite a bit.

it looks like :sunglasses: