You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
npm audit fix erroneously does non-semver-compatible bumps for 0-prefixed versions.
When
Always
Where
npm public registry
How
Current Behavior
Running npm audit fix causes bad, semver-breaking bumps. For example, soap being on version 0.23.0 gets a bump to 0.30.0. This same issue has been observed for packages like axios as well.
Steps to Reproduce
run npm audit fix with 0-versioned packages containing vulnerabilities
Expected Behavior
npm should refuse to do automatic bumps like this, since according to semver, 0.23.0 and 0.30.0 are not compatible, since the second number for zero versions is considered a major bump.
The text was updated successfully, but these errors were encountered:
DullReferenceException
changed the title
npm audit fix does semver-breaking updates for 0-versioned packages
[BUG] npm audit fix does semver-breaking updates for 0-versioned packages
Jan 30, 2020
What / Why
npm audit fix
erroneously does non-semver-compatible bumps for 0-prefixed versions.When
Always
Where
npm public registry
How
Current Behavior
Running
npm audit fix
causes bad, semver-breaking bumps. For example,soap
being on version0.23.0
gets a bump to0.30.0
. This same issue has been observed for packages likeaxios
as well.Steps to Reproduce
run
npm audit fix
with 0-versioned packages containing vulnerabilitiesExpected Behavior
npm
should refuse to do automatic bumps like this, since according to semver,0.23.0
and0.30.0
are not compatible, since the second number for zero versions is considered a major bump.The text was updated successfully, but these errors were encountered: