Timeframe for fixing latest not being semver latest

Scenario

  • What version of fingerprintjs are you using? 2.0.3
  • Latest version on npm is 1.8.6

When I do npm outdated --depth=0 I get:

Package                Current          Wanted  Latest  Location
fingerprintjs2           2.0.3           2.0.3   1.8.6

2.0.3 is published to npm https://www.npmjs.com/package/fingerprintjs2.

https://github.com/npm/www/issues/89#issuecomment-268575927 says npm is working on a fix but no timeframe is given. Is this a priority at npm?

Using npm 6.5

Ref: https://github.com/Valve/fingerprintjs2/issues/415

This is confusing, but I think it’s worth considering a bug. To be clear, this is what’s going on:

  1. user installed fingerprintjs2 from git, which is at 2.0.3.
  2. user ran npm outdated, and npm used the version field, not the package spec, to check if it’s outdated.
  3. npm correctly reported that latest is 1.8.6 on the registry.

I don’t know what the best solution for this is, but it sounds like the sort of thing we’ll address with the npm outdated/npm update rewrite.

For @dotnetCarpenter: You can ignore this – just switch over to the registry version instead of installing from git (If you did npm install Valve/fingerprintjs2, that would install from git, not from the registry).

1 Like

Actually, I installed Fingerprint2 from the npm registry via npm i -D fingerprint2 but an old version. I have since manually updated by changing the version number in package.json, but npm outdated still show an old version as latest.

I think it’s because there is 2 supported branches, a 1.* and 2.. The 1. branch is probably the latest release in regard to date but not semver, which is want we expect.

The same goes for the npm website that shows the latest release by date but not semver. Last I checked the latest version of npm is 5.7.* and not 6.5.* according to npm.org

npm outdated checks with the version that the default dist-tag points to, which is called latest. When the more recent versions of fingerprintjs2 were published, they automatically overwrote the version of the tag latest. A workaround for them would be to publish backports on a different tag (like npm does), as it is not possible to publish without a tag. The page for npm on npmjs.com shows 6.5.0 for me, and it was published 9 months after 5.7.1.

I just took a screenshot and the latest version of npm is 5.7.1 and not 6.5.0 or 6.6.0, which is currently the latest.

That just seems to be outdated info (each of those packages are, I think). The latest dist-tag is 6.6.0 for me, and 5.7.1 was published about a year ago, just like the other packages in the list.

My point is, that it is counter intuitive that latests points to latest in time and not latest semver. Even for whoever made the npmjs.com front-page.

In my opinion the repercussion of this decision is that npm outdated lies and a package owner has to jump through hoops to fix it. In most cases the burden is just too high to fix it at the package level.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.