Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm audit fix does semver-breaking updates for 0-versioned packages #726

Closed
DullReferenceException opened this issue Jan 24, 2020 · 3 comments
Closed

[BUG] npm audit fix does semver-breaking updates for 0-versioned packages #726

DullReferenceException opened this issue Jan 24, 2020 · 3 comments
Labels
Bug thing that needs fixing

Comments

@DullReferenceException
Copy link

What / Why

npm audit fix erroneously does non-semver-compatible bumps for 0-prefixed versions.

When

Always

Where

npm public registry

How

Current Behavior

Running npm audit fix causes bad, semver-breaking bumps. For example, soap being on version 0.23.0 gets a bump to 0.30.0. This same issue has been observed for packages like axios as well.

Steps to Reproduce

run npm audit fix with 0-versioned packages containing vulnerabilities

Expected Behavior

npm should refuse to do automatic bumps like this, since according to semver, 0.23.0 and 0.30.0 are not compatible, since the second number for zero versions is considered a major bump.
@DullReferenceException DullReferenceException changed the title [BUG] <title> npm audit fix does semver-breaking updates for 0-versioned packages Jan 24, 2020
@DullReferenceException DullReferenceException changed the title npm audit fix does semver-breaking updates for 0-versioned packages [BUG] npm audit fix does semver-breaking updates for 0-versioned packages Jan 30, 2020
@clydin clydin mentioned this issue Mar 26, 2020
Closed
15 tasks
@clydin clydin mentioned this issue Jul 28, 2020
Closed
@darcyclarke darcyclarke added the Bug thing that needs fixing label Oct 30, 2020
@DullReferenceException
Copy link
Author

Was this fixed?

@ljharb
Copy link
Contributor

ljharb commented Jun 2, 2021

@DullReferenceException which version of npm did you run into this with? if it's latest npm 7, i'll reopen it.

@DullReferenceException
Copy link
Author

Looks like it's fixed in npm 7, sweet!

@snyk-io snyk-io bot mentioned this issue Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ljharb @darcyclarke @DullReferenceException