I found a case that npm dependency selection didn't follow node-semver.
I was trying to install superagent@1.8.5, and here is the dependency tree I got from npm ls:
└─┬ superagent@1.8.5
├── component-emitter@1.2.1
├── cookiejar@2.0.6
├─┬ debug@2.6.9
│ └── ms@2.0.0
├── extend@3.0.0
├─┬ form-data@1.0.0-rc3
│ ├── async@1.5.2
│ ├─┬ combined-stream@1.0.8
│ │ └── delayed-stream@1.0.0
│ └─┬ mime-types@2.1.26
│ └── mime-db@1.43.0
├── formidable@1.0.16
├── methods@1.1.2
├── mime@1.3.4
├── qs@2.3.3
├─┬ readable-stream@1.0.27-1
│ ├── core-util-is@1.0.2
│ ├── inherits@2.0.4
│ ├── isarray@0.0.1
│ └── string_decoder@0.10.31
└── reduce-component@1.0.1
And here I got formidable@1.0.16
But when I looked into the dependencies of superagent@1.8.5, we can get:
dependencies: {
qs: "2.3.3",
formidable: "~1.0.14",
mime: "1.3.4",
component-emitter: "~1.2.0",
methods: "~1.1.1",
cookiejar: "2.0.6",
debug: "2",
reduce-component: "1.0.1",
extend: "3.0.0",
form-data: "1.0.0-rc3",
readable-stream: "1.0.27-1"
},
The dependency range for formidable is ~1.0.14, which means it will take the latest patch version of 1.0.X, since there is no dependency conflict on formidable.
However, the latest 1.0.X of formidable is 1.0.17 ref link, and when I tried the official semver calculator, I can also get that the satisfied versions are 1.0.14, 1.0.15, 1.0.16, 1.0.17.
I wanna ask is there any other rules for dependency resolution that I have missed?
Thanks!
