0

Im trying to figure out how npm versioning works because im getting stuck on two invalid packages. Ref my other question. The module i need, serialport, get these packages invalid, "readable-stream" and "string_decoder". Serialport have downloaded this version:

readable-stream@1.0.27-1

Serialports dependency is

"readable-stream": "~1.0.2"

Readable-streams available versions are:

....
'1.0.26',
'1.0.27-1',
'1.0.31',
....

Which explains why 1.0.27-1 is picked. Because of the tilde and ~1.0.2, meaning that these three numbers have to exist in each version. Ref Jakob Mattsson´s simple article

readable-stream downloads

string_decoder@0.10.25-1

readable-stream again depends on

"string_decoder": "~0.10.x"

And string_decoders available versions are 

....
'0.10.24',
'0.10.25-1',
'0.10.25',
'0.10.31',
'0.11.10-1'
....

How come that version is downloaded? Ref the article again, tilde means that it has to has 0.10 in the version number, and x is whatever exists?

Why is not string_decoder@0.10.31 chosen?

I believe my problem in question is related to prereleases that this extra dash is called. Im trying to gather facts to maybe seem if dependencies can get updated.

Community
  • 1
  • 1
vonGohren
  • 929
  • 8
  • 22
  • 1
    "Which explains why 1.0.27-1 is picked. Because of the tilde and ~1.0.2, meaning that these three numbers have to exist in each version." That's not quite true. It means that it must be at leasst 1.0.2 and < 1.1.0. Not sure why it doesn't take 1.0.31 in this case. – Joe Dec 23 '14 at 21:25
  • 1
    https://docs.npmjs.com/misc/semver – Joe Dec 23 '14 at 21:25
  • Yeah you might be true. Ref these lines: ~1 means >= 1.0.0 and < 2.0.0 (or "Any version starting with 1") --- ~1.4 means >= 1.4.0 and < 1.5.0 (or "Any version starting with 1.4") But it aslo has the comment, any version starting with, meaning starting with 1.0.2. So what makes this trigger? – vonGohren Dec 23 '14 at 21:28
  • `~1.0.2` does not mean `any version starting with '1.0.2'`. It's "any version >=1.0.2 <1.1.0". So, 1.0.10 or 1.0.31 is fine. However, prerelease versions are no longer included in ranges, so 1.0.27-1 would not be allowed. See: https://github.com/npm/npm/issues/6997#issuecomment-68006017 – isaacs Dec 26 '14 at 03:43

1 Answers1

0

I recieved an answere on github, issue answer, thought i would share it with the rest who might wonder:

semver range checking is done semantically, not lexically, so 1.0.31 should match with npm@2:

% semver -r '~1.0.2' 1.0.26 1.0.27-1 1.0.31 1.0.26 1.0.31 I suspect that the behavior you're seeing is due to a bundledDependency included in the package tarball.

See Node app fails to run because of prerelease for a more detailed answer too why this happens.

Community
  • 1
  • 1
vonGohren
  • 929
  • 8
  • 22