Peer dependency invalid version requirement

Question

Peer dependency invalid version requirement

lil5 opened this issue 2 years ago · 1 comments

lil5 commented 2 years ago

What version of @tailwindcss/typography are you using?

v0.5.8

What version of Node.js are you using?

v20.5.0

What browser are you using?

n/a

What operating system are you using?

macOS

Reproduction repository

https://semver.npmjs.com/

Describe your issue

Go to https://semver.npmjs.com/
Set the package name to @tailwindcss/typography
and version range to >=3.0.0 || insiders (as defined here)

Expected

A valid range

Actual result

✕ Invalid range. View [syntax examples](https://semver.npmjs.com/#syntax-examples)

Notes

This breaks npm updates, here is an example using npm-check-updates

npm-check-updates --peer --target minor   
Checking /Users/lil5/Projects/clothingloop/clothing-loop/frontend/package.json
[====================] 51/51 100%
[====================] 38/38 100%

 @tailwindcss/typography              ^0.5.8  →   ^0.5.10
 autoprefixer                       ^10.4.13  →  ^10.4.16

Ignored incompatible updates (peer dependencies):

 tailwindcss  ^3.3.0  →  ^3.3.5  reason: @tailwindcss/typography requires >=3.0.0 || insiders

Run ncu --peer --target minor -u to upgrade package.json

Answer 1 · 2023-11-03T15:29:23.000Z

Hey so this is not invalid and is a problem with npm-check-updates and incorrect assumptions about version strings accepted by NPM.

During installation Arborist (NPM's dep management tool):

Builds the tree of to-be-installed packages
During that process calls #buildDeps -> #nodeFromSpec -> #fetchManifest
Ultimately resulting in a call to something similar to this (pacote being the package downloader NPM uses):

await pacote.manifest({
  name: "tailwindcss",
  rawSpec: "^3.0 || insiders"
})

This calls into the registry which resolves the version to v3.3.5 as of this writing.

If you pass through just insiders (equivalent to "tailwindcss": "insiders"):

await pacote.manifest({
  name: "tailwindcss",
  rawSpec: "insiders"
})

Then it picks up the package manifest for latest insiders build and uses it to resolve dependencies. All this to say, this isn't invalid. NPM handles this, does so intentionally, and you can see this behavior when using something like npm outdated with these version strings. While semver is used to pick up package versions — it is not the only thing in use but it's not well documented. This is probably why npm-check-updates considers it invalid.