0

I could not find any documentation which says that npm will not try to install a deprecated package version.

example:

2.0.0-beta.2  2.0.0-beta.5  2.0.0-rc.9

So if I install ^2.0.0-beta.2, it will resolve to 2.0.0-rc.9

And if I deprecate 2.0.0-rc.9

2.0.0-beta.2  2.0.0-beta.5  2.0.0-rc.9
                           (deprecated)

Now if I install ^2.0.0-beta.2, it will resolve to 2.0.0-beta.5

But I could not find any documentation which proves this behavior. Can someone please help to validate this?

Abhijeet Ahuja
  • 5,596
  • 5
  • 42
  • 50

2 Answers2

1

I tested and confirmed that it does indeed ignore deprecated versions if there is another version it can use. (I temporarily deprecated metal-name version 1.3.1 and then ran npm install metal-name@1. It installed version 1.3.0 instead of 1.3.1. When I removed the deprecation for version 1.3.1, it went back to installing 1.3.1 when I ran npm install metal-name@1.

I can not find this behavior mentioned in the npm CLI documentation. However, I can find it mentioned in the commit log for the npm CLI client.

npm uses npm-pick-manifest to determine what to install. The README for that module says:

Prefers non-deprecated versions to deprecated versions.

Trott
  • 66,479
  • 23
  • 173
  • 212
  • But includeDeprecated flag is not present in the latest branch though. – Abhijeet Ahuja Jan 13 '22 at 08:31
  • but note that evidence isn't the same as knowing - unless there are docs that explicitly state this behaviour, that behaviour could suddenly be different tomorrow. – Mike 'Pomax' Kamermans Jan 13 '22 at 16:50
  • @Abhijeet There's no need for it to be in the latest branch because that behavior of npm-pick-manifest is now the default behavior. (I've added this information to my answer.) – Trott Jan 14 '22 at 03:39
0

NPM will do whatever you told it to do, based on your package.json rule for each dependency. If you use ^ as version prefix then yeah: you literally told NPM to use "whatever is the most up to date minor release".

See both the documentation for dependency management and the semver range documentation for what syntax is accepted and what they all mean.

Mike 'Pomax' Kamermans
  • 49,297
  • 16
  • 112
  • 153
  • My question is, will npm ignore a deprecated version even though it's the closest match to the semver? – Abhijeet Ahuja Jan 13 '22 at 05:53
  • 1
    That's definitely a question to search the docs for, and if you can't find it, do what open source relies on: file an issue with the npm folks to get that information added into the documentation in the place you were looking but couldn't find it. So that _everyone_ can find that information in the first place they will be looking for answers, rather than the last place. – Mike 'Pomax' Kamermans Jan 13 '22 at 16:51