npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Timeframe for fixing latest not being semver latest


When I do npm outdated --depth=0 I get:

Package                Current          Wanted  Latest  Location
fingerprintjs2           2.0.3           2.0.3   1.8.6

2.0.3 is published to npm says npm is working on a fix but no timeframe is given. Is this a priority at npm?

Using npm 6.5


(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

This is scheduled for npm@7. We don’t give timeframes. It’ll be done when it’s done, but it’s what we’re currently working on and I imagine this’ll be out be Q2 2019. That’s just a spitball, not a promise, though.

This is confusing, but I think it’s worth considering a bug. To be clear, this is what’s going on:

  1. user installed fingerprintjs2 from git, which is at 2.0.3.
  2. user ran npm outdated, and npm used the version field, not the package spec, to check if it’s outdated.
  3. npm correctly reported that latest is 1.8.6 on the registry.

I don’t know what the best solution for this is, but it sounds like the sort of thing we’ll address with the npm outdated/npm update rewrite.

For @dotnetCarpenter: You can ignore this – just switch over to the registry version instead of installing from git (If you did npm install Valve/fingerprintjs2, that would install from git, not from the registry).

Actually, I installed Fingerprint2 from the npm registry via npm i -D fingerprint2 but an old version. I have since manually updated by changing the version number in package.json, but npm outdated still show an old version as latest.

I think it’s because there is 2 supported branches, a 1.* and 2.. The 1. branch is probably the latest release in regard to date but not semver, which is want we expect.

The same goes for the npm website that shows the latest release by date but not semver. Last I checked the latest version of npm is 5.7.* and not 6.5.* according to

npm outdated checks with the version that the default dist-tag points to, which is called latest. When the more recent versions of fingerprintjs2 were published, they automatically overwrote the version of the tag latest. A workaround for them would be to publish backports on a different tag (like npm does), as it is not possible to publish without a tag. The page for npm on shows 6.5.0 for me, and it was published 9 months after 5.7.1.

I just took a screenshot and the latest version of npm is 5.7.1 and not 6.5.0 or 6.6.0, which is currently the latest.

That just seems to be outdated info (each of those packages are, I think). The latest dist-tag is 6.6.0 for me, and 5.7.1 was published about a year ago, just like the other packages in the list.

My point is, that it is counter intuitive that latests points to latest in time and not latest semver. Even for whoever made the front-page.

In my opinion the repercussion of this decision is that npm outdated lies and a package owner has to jump through hoops to fix it. In most cases the burden is just too high to fix it at the package level.