From ca5a6618d089d060d8882d050df2efd7d78d53f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=A4=A9=E7=8E=8E?= Date: Tue, 4 Oct 2022 16:01:37 +0800 Subject: [PATCH] RFC: dist-tag resolution correction --- .../0000-dist-tag-resolution-correction.md | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 accepted/0000-dist-tag-resolution-correction.md diff --git a/accepted/0000-dist-tag-resolution-correction.md b/accepted/0000-dist-tag-resolution-correction.md new file mode 100644 index 000000000..3d2e1e63d --- /dev/null +++ b/accepted/0000-dist-tag-resolution-correction.md @@ -0,0 +1,55 @@ +# Dist tag spec should install the exact version + +## Summary + +Correct the `@npmcli/arborist` behavior when install a dist-tag specified dependency. + +## Motivation + +Current strategy may install the wrong version of a dependency. [PR#5599](https://github.com/npm/cli/pull/5599) is a attempt to fix this behavior. But as [@wraithgar](https://github.com/wraithgar) [pointed out in the pr](https://github.com/npm/cli/pull/5599#issuecomment-1262518986), this is a break change, and should be discussed in detail. + +## Detailed Explanation + +Given `package.json` below: +```json +{ + "dependencies": { + "kewu": "1.0.0", + "wuke": "1.0.1" + } +} +``` +The two npm package dependencies are: + +1. `kewu@1.0.0` has only one dependency `wuke@stable` +2. `wuke@stable` refers to `wuke@1.0.0` + +Run code below, would only install `wuke@1.0.1` into the root dir of node_modules. + +```javascript +const arborist = new Arborist({ + path: process.cwd(), +}) +const idealTree = await arborist.buildIdealTree({}) + +console.log('idealTree wuke: %s', idealTree.children.get('kewu').children.get('wuke')) +``` + +`@npmcli/arborist` treats `wuke@1.0.1` as the matched version of `wuke@stable`, which is wrong. + +## Rationale and Alternatives + + +## Implementation + +Check out [PR#5599](https://github.com/npm/cli/pull/5599) for the implement. + + +## Prior Art + +## Unresolved Questions and Bikeshedding + +As tested, this implement will break all previous package-lock.json when running `npm ci`, So a proper way to fix package-lock.json or to make `npm ci` run in compatible mode is needed. + +### References +[PR#5599](https://github.com/npm/cli/pull/5599)