feat!: no implicit latest tag on publish when latest > version #7939
Conversation
reggi
force-pushed
the
reggi/prevent-lower-semver-without-explicit-tag
branch
2 times, most recently
from
3491a30 to
1747c7a
Compare
|
I took liberty to standardize all the |
reggi
force-pushed
the
reggi/prevent-lower-semver-without-explicit-tag
branch
from
1747c7a to
c8351fc
Compare
This is how things get better. Iteratively, and as we are already working in these files. |
There was a problem hiding this comment.
I am so excited that this could make https://npmjs.com/safe-publish-latest obsolete!
|
hmm, one difference i notice here between https://github.com/ljharb/safe-publish-latest/blob/main/getLatestError.js and this PR is that it's only comparing the "latest" version, not all versions. Specifically, if I have v1.4.0 and v1.5.0 published but have v1.3.0 marked as latest, and I publish v1.4.1, i wouldn't necessarily want that to be auto-marked latest - in other words, the only time i want implicit latest is when i have the normal scenario of "the latest tag is also the latest version". |
|
@ljharb we spoke about this a bit before implementation, I broke it down like this The two options are:
We went with 1, the idea being that this is only about "should we use default (implicit) tag |
|
That's certainly a viable decision, and I'm glad yall discussed it (altho it'd have been nice to have it discussed publicly, like npm changes historically have been) - but unfortunately I very much have encountered scenario 2 many times, not just on my own packages, which is why I wrote safe-publish-latest that way, and have been using it successfully for 8 years on many hundreds of packages. Obviously this can ship, and we could wait for another major to ship scenario 2, but it seems like the wiser option is to always prefer being maximally strict right out the gate, since tightening is semver-major but loosening is not? |
|
@ljharb reimplemented using semver latest instead of latest dist tag. I can't think of a downside for using semver latest as suggested. Overall I think it makes sense and will feels more intuitive. |
Co-authored-by: Jordan Harband <[email protected]>
Co-authored-by: Jordan Harband <[email protected]>
reggi
force-pushed
the
reggi/prevent-lower-semver-without-explicit-tag
branch
from
37cb797 to
777184d
Compare
|
Those publish tests look so much cleaner now. |
BREAKING CHANGE: Upon publishing, in order to apply a default "latest" dist tag, the command now retrieves all prior versions of the package. It will require that the version you're trying to publish is above the latest semver version in the registry, not including pre-release tags.
Implements npm RFC7.
Related to prerelease dist-tag: #7910
Apart of npm 11 roadmap: npm/statusboard#898