The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
Timeframe for fixing latest not being semver latest
- What version of fingerprintjs are you using? 2.0.3
- Latest version on npm is 1.8.6
When I do
npm outdated --depth=0 I get:
Package Current Wanted Latest Location fingerprintjs2 2.0.3 2.0.3 1.8.6
2.0.3 is published to npm https://www.npmjs.com/package/fingerprintjs2.
https://github.com/npm/www/issues/89#issuecomment-268575927 says npm is working on a fix but no timeframe is given. Is this a priority at npm?
(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)
This is scheduled for
npm@7. We don’t give timeframes. It’ll be done when it’s done, but it’s what we’re currently working on and I imagine this’ll be out be Q2 2019. That’s just a spitball, not a promise, though.
This is confusing, but I think it’s worth considering a bug. To be clear, this is what’s going on:
- user installed
fingerprintjs2from git, which is at
- user ran
npm outdated, and npm used the version field, not the package spec, to check if it’s outdated.
- npm correctly reported that
1.8.6on the registry.
I don’t know what the best solution for this is, but it sounds like the sort of thing we’ll address with the
npm update rewrite.
For @dotnetCarpenter: You can ignore this – just switch over to the registry version instead of installing from git (If you did
npm install Valve/fingerprintjs2, that would install from git, not from the registry).
Actually, I installed Fingerprint2 from the npm registry via
npm i -D fingerprint2 but an old version. I have since manually updated by changing the version number in package.json, but
npm outdated still show an old version as latest.
I think it’s because there is 2 supported branches, a 1.* and 2.. The 1. branch is probably the latest release in regard to date but not semver, which is want we expect.
The same goes for the npm website that shows the latest release by date but not semver. Last I checked the latest version of npm is 5.7.* and not 6.5.* according to npm.org
npm outdated checks with the version that the default
dist-tag points to, which is called
latest. When the more recent versions of
fingerprintjs2 were published, they automatically overwrote the version of the tag
latest. A workaround for them would be to publish backports on a different tag (like npm does), as it is not possible to publish without a tag. The page for npm on npmjs.com shows
6.5.0 for me, and it was published 9 months after
I just took a screenshot and the latest version of npm is
5.7.1 and not
6.6.0, which is currently the latest.
That just seems to be outdated info (each of those packages are, I think). The
latest dist-tag is 6.6.0 for me, and 5.7.1 was published about a year ago, just like the other packages in the list.
My point is, that it is counter intuitive that
latests points to latest in time and not latest semver. Even for whoever made the npmjs.com front-page.
In my opinion the repercussion of this decision is that
npm outdated lies and a package owner has to jump through hoops to fix it. In most cases the burden is just too high to fix it at the package level.