Mutability of the latest tag

[arcanis]

tl;dr The latest tag can currently point to non-latest releases, making it a semantical non-sense causing problems with tools attempting to give it one. Users should be prevented from modifying it, with it being fixed to whatever the latest stable release actually is at any given point in time. It wouldn't break use cases, because there are better tools to achieve what people typically want by doing this.

---

An annoying problem we've been hitting on Yarn regarding the npm registry has been regarding the latest tag on the registry. It's rather subtle, so first I'll explain a bit how things work, why it's problematic, some fixes, and what's the best one and why.

Tags on the npm registry work very much like Git: a set of words, where one word points to a version. Just like Git tags, npm's dist-tags are mutable: it's fairly easy to change the target of a tag by using the npm tag command. This capability is often used: various popular packages have a next tag pointing to the highest beta (and thus need to update the tag reference when a new beta is published), and even without that an overwhelming majority of packages make use of the latest tag, which always point to the latest stable release from a package.

Before going further, let me talk a bit about yarn add (npm add doesn't work exactly the same but suffers from the same problem, in different ways). When you run the command with a range (yarn add foo@bar), things are fairly simple: you tell us you want to use foo at version bar, so that's what we put in the dependencies field. Easy. Now, what happens when you run yarn add foo, though? Since there is no explicit version requested, we fallback on latest, which we resolve to whatever latest is currently assigned on the registry, and then finally we store that in the manifest as a range (let's say ^1.0.0). Fair enough, right?

And now is the fun part: what happens if latest doesn't point to the latest stable release? That sounds a bit weird, but it's actually very possible. The npm registry doesn't currently enforce what latest points to, so you can use npm tag to update it to an earlier release (I hear someone in the back say that's kinda like unpublishing a package, but safest, right? - let me continue and we'll come back to that later). As an example, Husky currently has the following releases (minus a few that aren't relevant to the problem at hand):

December  1, 2020   4.3.1
November 22, 2020   5.0.4         *next
November 16, 2020   5.0.0
September 15, 2020  5.0.0-alpha.1
September 15, 2020  5.0.0-alpha.0
September 7, 2020   4.3.0         *latest
April 9, 2020       4.2.5
April 9, 2020       4.2.4

We can notice a few things:

• The latest tag doesn't point to the highest stable (that would be 5.0.4)
• It doesn't point to the most recent 4.x release either (that would be 4.3.1), which is probably a mistake
• In fact, even the next tag doesn't point to a semver prerelease, which is probably a mistake too

That's kind of a mess ... but so what, will you ask me? Let's go back to yarn add. If you install Husky at the moment with Yarn (2), you'll have an funny behavior: Yarn will resolve latest to whatever the registry says (4.3.0), turn it into a range (^4.3.0), and add that to the dependencies field. Then it'll run an install, and that's when things become interesting! Because when Yarn sees a range in its dependencies (like ^4.3.0), it'll resolve that by asking the registry the list of all versions, keep only the compatible ones, and use whatever the highest is. Which, in this case, would be 4.3.1. As a result, you get a slightly awkward behavior where the range in the manifest doesn't represent the version who got installed (but is still perfectly compatible with it).

One question I can hear: is it a bug in Yarn? As I mentioned earlier, tags are words pointing to releases. In themselves, they have no bearing on the semver resolution - just because a release has a tag doesn't change anything regarding whether it is compatible or not with a range. Since 4.3.1 is compatible with ^4.3.0, then there's nothing preventing it from being selected... which can be surprising - we got at least two/three issues about this in the past year.

So what can be done to prevent that?

• Yarn could ignore all versions higher than latest for the purpose of semver range validation. I don't like that, because it's the kind of magical workaround that's susceptible to break in unexpected way (what if I use a range to a prerelease? What if I use *? etc)

• Yarn could make yarn add smarter by storing an exact range (4.3.0) instead of a caret range when it detects that a latest semver range would match more than one unique version. This is undesirable because:

  • It would break commands like yarn upgrade-interactive, which would lose valuable information (that the user intends allows this dependency to be upgraded to future versions within the same major).

  • It would break systems that enforce caret dependencies (or, more generally, would be confusing to many users that wouldn't understand why some dependencies are ranges and others exact).

• Yarn could use a literal latest tag in the dependencies field (instead of a semver range) when it detects that a latest caret range would match more than one unique version. It would address the first problem, but leave the second: it would be very confusing to have one behavior or another without clear idea why.

• We could do what npm does, and use ^4.3.0 and have some internal logic to install 4.3.0 during the followup install, rather than the highest compatible version. The would solve the confusion, but would leave the upgrade-interactive problem.

• We could completely ignore whatever the latest tag points to, and let yarn add find out what's the highest stable version available. In Husky's case however that would be 5.0.4, not 4.3.1.

I find this latest option the most interesting one, because the only real blocker is that Husky made a mistake by publishing a prerelease (5.0.4) as semver-stable, and thus it would be accidentally installed. But still, that's problematic! How to fix this if it happens? This bring me back to the question I put aside earlier:

[pinning latest to an earlier version] kinda like unpublishing a package, but safest, right?

This scenario is the only case where it makes sense to pin latest to not-latest. This way, people running yarn add won't accidentally use your accidental release. However it's also flawed: they still can upgrade to it, since the range will still match. What we need is a way to say "hey, I don't want this version to ever be considered for resolution, unless explicitly requested", so that package authors could truly "unpublish" a package, but without removing it from the registry (which could break projects who already started relying on it).

Fortunately this already exists! Package versions can be deprecated, and package managers can use this heuristic to make them secondary during resolution, to prefer the non-deprecated versions when possible. Through this mean, we have a proper way to satisfy the only use case for pinning latest to an earlier version - thus removing the only blocker that would prevent making latest immutable.

[ljharb]

I’m unclear on what you’re proposing, but the ability to mutate the latest tag is critical, and must not be impeded in any way.

[ljharb]

I don’t see why a problem with yarn should motivate a server side restriction that breaks clients that lack a resolutions feature when package authors prefer not to publish a revert. Why can’t yarn do “exactly what npm does” here?

[tim-ethitrade]

I don’t see why a problem with yarn should motivate a server side restriction that breaks clients that lack a resolutions feature when package authors prefer not to publish a revert. Why can’t yarn do “exactly what npm does” here?

I think you're missing the point. I don't see how this has anything to do with yarn or it's specific implementation. This is about semantic differences in the concepts at a higher-level, one which any and all package managers can take advantage of these changes (including npm), regardless of whatever current implementation npm has (just because npm does it one particular one now, doesn't mean doing it in that way is the best solution to the problem, so that's just not really an argument).

What I inferred from reading this, is that the proposed solution would open up new capabilities for all package managers, which can only help the ecosystem as a whole, though I'm happy to be shown differently if I'm wrong.

[ljharb]

Let me try again by describing some of my use cases more fully:

1. I need to be able to publish v5.0.0 as latest by accident, and then recover from this mistake by setting v4.x as latest.
2. I need to be able to publish v5.0.0 as next, and continue to publish v4.x versions as latest, until i'm ready to promote the already-released v5.0.0 (or another already-released v5.x) to latest
3. I need to be able to publish v1.2.3 as latest, realize there's a bug that's not easy to revert, and set v1.2.2 to latest, so that the majority of users don't get v1.2.3 (all new users would get v1.2.2, and only if someone ran npm update or explicitly referenced it would they see v1.2.3). Later, once the bug is understood, I can publish a v1.2.4.
4. Additionally, in the previous scenario, by having the ability to set v1.2.2 to latest, it (on the previous programatic unpublish policy) was possible to unpublish v1.2.3. While I believe this is no longer possible without npm support intervention, I think the current iteration of unpublish policies are severely broken, and I hope to restore this ability - which would require latest to be mutable.

There's also a common scenario of mine where mutable latest is problematic - namely, v2 is latest, and I publish a v1.x backport (or v1.2.x is latest, and i publish a v1.1 backport), and forget to set an alternate tag. In this case, I need to be able to change latest to point to the chronologically-earlier publish of v2.x once I realize my mistake (i've created https://npmjs.com/safe-publish-latest to address this hazard, and I add it to the prepublish script in all my packages. It doesn't come up often because backports to previous majors/minors are rare)

@arcanis do you have a concrete proposal? Which scenarios of mine would no longer be possible under that proposal?

[arcanis]

@arcanis do you have a concrete proposal?

From the first line in my thread: users should be prevented from modifying [latest], with it being fixed to whatever the latest stable release actually is at any given point in time.

Which scenarios of mine would no longer be possible under that proposal?

None.

1. I need to be able to publish v5.0.0 as latest by accident, and then recover from this mistake by setting v4.x as latest.

You don't set 4.x as latest. You mark 5.0.0 as deprecated. Package managers now have semantic information telling them to avoid this version if others are available.

2. I need to be able to publish v5.0.0 as next, and continue to publish v4.x versions as latest, until i'm ready to promote the already-released v5.0.0 (or another already-released v5.x) to latest

This thread isn't about next - you can do whatever you want with dist-tags that arent latest, I don't mind, because they have no bearing on the CLI behaviors. It's still a bad idea to publish non-rc releases as next (leaves your users exposed to unwanted upgrades if they use *), but that's on you.

3. I need to be able to publish v1.2.3 as latest, realize there's a bug that's not easy to revert, and set v1.2.2 to latest, so that the majority of users don't get v1.2.3 (all new users would get v1.2.2, and only if someone ran npm update or explicitly referenced it would they see v1.2.3). Later, once the bug is understood, I can publish a v1.2.4.

You don't set 1.2.2 as latest. You mark 1.2.3 as deprecated. Package managers now have semantic information telling them to avoid this version if others are available.

4. Additionally, in the previous scenario, by having the ability to set v1.2.2 to latest, it (on the previous programatic unpublish policy) was possible to unpublish v1.2.3. While I believe this is no longer possible without npm support intervention, I think the current iteration of unpublish policies are severely broken, and I hope to restore this ability - which would require latest to be mutable.

If you fully unpublish a version, then it's fine to update latest to whatever the new highest stable version becomes. My point is that the user should be forbidden to have control over this tag, not the registry itself (otherwise publishing new versions would never do anything).

[ljharb]

Users should never use * anyways, since that will always result in unwanted upgrades, so I’m comfortable saying that’s on them.

Package managers do not universally (including older versions that are still widely in use) have the ability to take deprecation as a signal. Additionally, they shouldn’t deprecated until the root cause is understood (in scenario 2) and at all (in scenario 1). Deprecation doesn’t mean “prefer avoiding this version” and should not be distorted to mean that - that’s what “latest” is for.

You can’t unpublish any version that “latest” points to - as far as I’m aware, that has been a constraint since the creation of i publishing.

[MylesBorins]

Hey @arcanis I've shared this with this team and will follow up when I've had time to think on this a bit more.

It seems like the biggest confusion is specifically when you have a semver in the range in the package.json that includes latest, but would install a newer version. In the case that folks publish a next to test things about before promoting to current the semver range would be satisfied by the non-latest version.

An initial thought would be semantically... do we want to be respecting the range in the package.json, or do we think "latest" should trump the "highest possible version" in the range if latest is in the range but not the highest possible version.

[ljharb]

I think there's also a potential conceptual difference between the implicit "latest" when one does npm install foo, and an explicit one like npm install foo@latest.

[isaacs]

So, to make sure I understand the request here, the idea is:

• latest would be set by the registry, and guaranteed to always point to the highest-SemVer (or last published?) non-prerelease version.
• Other dist-tags could be modified by users explicitly, but not latest.
• Users who npm publish --tag=next (or with {"publishConfig":{"tag":"next"}} would still end up updating their latest tag, provided the SemVer does not contain a prerelease portion.

There are a number of challenges with this approach.

First, it will break existing use cases (including one that npm itself uses) for providing releases on a semver-major line ahead of making that semver-major line the "default" installed copy.

Second, it could make it much more challenging to release legacy versions of a package. I think this might have been addressed by making the latest tag always refer to the highest-SemVer release rather than the last-published, but I do manage several packages where I have a branch like legacy-2.x, where the package.json contains {"publishConfig":{"tag":"legacy-2"}} or some such.

If we do implement this in such a way as to avoid the legacy management problem, then I don't see how the semantics are any less misleading. If the core objection is that "latest" might not actually be the "latest" published, well... if my currently active release line is 3.x, and I then publish 2.2.1 to fix a bug in the legacy 2.2.0 version, then 3.2.0 is no longer the "latest" published. Either we accept this semantic wart, or I'm forced to then publish a no-change 3.2.1 just to re-claim the tag.

The much easier solution to this problem would be for Yarn to adopt the same semantics for manifest resolution that npm uses, which is encapsulated in npm-pick-manifest. It's a small module with few dependencies and very infrequent changes, the source is open and the algorithm is well documented. It even supports some forward-looking features that have gone through the npm RFC process but are not yet implemented in the public registry (ie, staged publishes and security policy restrictions). Calling this "internal logic to npm" is a bit misleading, since it's clearly external to npm, and extremely easy to adopt. I'm not sure how we could make it any easier, short of writing the patch for Yarn ourselves. (To be clear, if you're open to it, I'm happy to do this.)

If you would still prefer not to rely on npm-pick-manifest directly, it would still be good to copy it. It's worth reading through the the algorithm documentation itself, as it's not that complicated, but just to tl;dr as to how it solves this problem, it's rather simple: when presented with a range, prefer the version that is found in packument['dist-tags'][options.defaultTag] if it matches. (It does also prefer non-deprecated versions over deprecated, published versions over staged, versions not explicitly avoided over those that should explicitly be avoided, and those that will not trigger an engine warning at install time over those that will.) These heuristics provide the user-expected behavior for consumers, without restricting publishers or imposing new heavy-handed restrictions on how dist-tags must be used, which we believe provides the optimal flexibility for publishers to employ a wide variety of package deployment approaches, as suits their projects.

Since a solution to the problems presented is readily available for all to use, and adding this restriction to the registry would break several popular and valuable use cases, I think it is extremely unlikely we will move forward with the suggestion as presented, unless there is a significantly more compelling need to justify the disruption.

That said, there is clearly work to be done evangelizing the use of "publishConfig" (or a tag setting in a project .npmrc file) to avoid ever putting a version on the latest tag unexpectedly.

[arcanis]

First, thanks for the comprehensive answer, I find it helpful. I however feel there's something I should clarify: in itself, I'm not worried about Yarn. We'll implement this logic and be done for the day. Still, I'm worried about what it actually means in terms of semantic for the ecosystem - just because it's not a problem for us doesn't mean it's not a problem in general.

When you see a semver range (and I say this even if "semver ranges" is a bit loose, as ranges aren't technically part of the semver spec), it's fairly easy to know what to do of it. You take the version, you compare it with the range, and you know whether the version is semantically compatible with the range. It's simple, it's nice, it's synchronous, and as such many tools that depend on the semver module assume that this is how it works - including the ranges in the dependencies field.

However, what you say, and specifically "the version indicated by latest will be given top priority if it matches a supplied semver range", has nothing to do with a typical semver range resolution. Now, given a version and a range, you cannot know whether a version is compatible with a range for the purpose of the dependency resolution: you also need the set of preferred versions. It may not sound much, but it means that every tool leveraging the semver ranges within the dependencies field has to be aware of that. For instance:

• A tool like Renovate / Dependabot must be careful not to upgrade a version past latest, even if the range is compatible.
• A dep graph optimizer has to be careful not to merge versions across latest, even if when they would be otherwise compatible.
• A service like Snyk perhaps shouldn't go past latest when offering replacement versions.

Now, it's of course not impossible to do - that's how things usually work (do they? can you say for sure that all the aforementioned tools are even aware of the rule you shared? what would you say are the chances that Lerna has at least one bug about this when working with npm 6?). But it means that special logic has to be added in order to workaround semver, and make it work differently from expectations. I personally don't think this is the right approach.

It does also prefer non-deprecated versions over deprecated, published versions over staged, versions not explicitly avoided over those that should explicitly be avoided, and those that will not trigger an engine warning at install time over those that will.

For the sake of the debate, I find that a problematic but acceptable counter-argument, in that even if the latest tag was pinned, there would be other slight differences between classic semver and whatever the package manager would use. Still, even that feels wrong for the aforementioned reasons 🤔

[isaacs]

"semver ranges" is a bit loose, as ranges aren't technically part of the semver spec

A bit afield from the OP here, so I'll reply to the other stuff in a separate comment, but you may be interested in the conversation over at semver/semver#584

The SemVer spec moves very slowly, as we all have a lot on our plates. For ranges in particular, part of the issue is that every package manager sort of implemented something similar out of necessity, but they're all subtly different. I threw out a proposal which just specifies what node-semver does to get the conversation started, but we're still kind of at the "figuring out where the cowpaths even are before we can go about paving them". My guess is that the spec will land in a place where the overlap is codified, and there's a bunch of "optional, but if implemented, must be work like this" stuff.

[isaacs]

Now, given a version and a range, you cannot know whether a version is compatible with a range for the purpose of the dependency resolution: you also need the set of preferred versions.

In practice, this is not the case. If your dependency is ^1.2.3 and the latest dist-tag is 1.2.4, then that's the resolution npm will pick by default. However, if 1.2.5 is in the tree, it'll be treated as a valid resolution. All tools that currently do version resolution will see it as fine, because 1.2.5 matches the ^1.2.3 semver range.

There is no rule in the SemVer specification or elsewhere that says a package manager must select the highest-precedence version number available that satisfies a dependency range. All package managers apply additional heuristics on top of naively selecting the presumably latest and greatest. (Deprecation, deduplication, known security vulnerabilities, the list goes on and on.) I'm not sure why the existence of such heuristics invalidates using the range as a valid statement of compatibility.

• A tool like Renovate / Dependabot must be careful not to upgrade a version past latest, even if the range is compatible.

Not a bad idea for renovate/dependabot, if they intend to mirror the behavior of npm update.

• A dep graph optimizer has to be careful not to merge versions across latest, even if when they would be otherwise compatible.

I don't agree with this. npm is a "dep graph optimizer", and it does merge versions across latest if they're otherwise compatible. It just prioritizes the latest version when selecting a manifest out of a packument.

• A service like Snyk perhaps shouldn't go past latest when offering replacement versions.

Similar to renovate/dependabot, it might be a good idea for Snyk to prioritize the dist tagged version, but if latest has a vulnerability, and >latest doesn't, it's pretty clear what Snyk should prioritize. (It's the same that npm audit fix does in that case, in fact.)

But it means that special logic has to be added in order to workaround semver, and make it work differently from expectations.

No, it means that special logic has to be added when selecting a manifest from a packument. Which is already the case, because it needs to be able to get the list of versions, etc. Selecting which version of a package to install will almost always take into account more than merely the available versions and dependency range, so I'm not sure I even really understand what the concern is here. It would be user-hostile to install something that is deprecated, or known vulnerable, or claims to conflict with the current platform, or can't be ideally deduplicated (especially on platforms other than node where full deduplication is a hard requirement!), if there is some way to avoid these problems.

Prioritizing the version which the publisher has claimed should be the default, if it's a valid choice otherwise, strikes me as completely reasonable.

It seems like you've gotten it in your head that latest ought to mean "the last one published". Fun fact of history: it used to! For about a week or two. The original design of npm was that the default tag to be installed would be stable. Whenever you publish, it'd be tagged as latest, and then you'd have to npm tag [email protected] stable to mark a version that should be installed. (This mirrored the behavior of yinst.)

Almost immediately, users were annoyed that they'd publish something, but it couldn't be installed until they ran a second command, so we just made latest the default one to be installed. (You still can do npm install --tag=stable and it'll use that as the default tag to be installed, or npm publish --tag=stable, and it'll publish with that dist-tag. It's just that the default tag config is 'latest'.)

Fairly shortly afterwards, users got annoyed that their dependency didn't get the "default" version when they had a dependency range that included a release that wasn't yet ready to be the default installed version. So someone would depend on >=1.2.3, and get 2.0.1 instead of "latest" which was 1.2.4. (This was in the days before ^ and ~ ranges.) Some time in 2010 I believe, based on user demand, I added the logic to make it prioritize the tag config as the default, and we've preserved it ever since.

So, I'm really not overstating it to say that:

• What you're suggesting changing is a decade old,
• it was implemented based on direct user needs and feedback, and
• a whole ecosystem has grown up around this behavior, in spite of any "incorrect" semantics.

Like, ok, maybe "main" or "default" would've been a better name choice, but the convention and the behavior is as established as anything else in JavaScript now, and it would be massively disruptive to change. I don't think you can credibly argue that it is "abandoning SemVer" to use heuristics other than "highest SemVer version within the range" when choosing an install target (since literally every package manager does so), and I haven't really seen a problem brought up here that can't be fixed by just helping users better understand the tools at their disposal. Since many of them do understand the behavior (at least well enough to build things that rely on it), changing it would not be good for them, and would cause an increase in confusion, even if more semantically "correct".

[arcanis]

It seems clear you don't agree there's a problem so I'll mark this as the answer, but I disagree with your evaluation. Specifically, I think there's a conflict between what you use latest for, and how you actually can use it without making your users' projects vulnerable to edge cases. To try to prove that, consider the following situation:

• Webpack depends on HelperLib@^1.2.0
• Storybook depends on HelperLib@^1.5.0
• HelperLib has a latest pointing on 1.4.0
• The Webpack author, similar to @ljharb, doesn't want ^1.2.0 to resolve to anything past latest

Let's say I create a project P1 and add Webpack as the only dependency. Then the package manager will resolve the version according to your heuristic, 1.4.0 will be selected, all fine. Now let's create another project P2 with both Webpack and Storybook as dependencies. In this situation:

• Webpack > HelperLib will initially resolve ^1.2.0 to 1.4.0
• Storybook > HelperLib will initially resolve ^1.5.0 to 1.5.0
• However, later on, an optimization pass may be free to dedupe those resolutions into one

This last point is permitted because both ^1.2.0 and ^1.5.0 are satisfied by 1.5.0 semver-wise, and because of the following point you mentioned in your post:

npm is a "dep graph optimizer", and it does merge versions across latest if they're otherwise compatible. It just prioritizes the latest version when selecting a manifest out of a packument

Consequently, the use case you and @ljharb mention (being able to use latest to prevent packages from being accidentally used until they're ready to become the main version) doesn't actually exist - it may work in most cases, but will break as soon as the user gets a pathological dependency tree during which versions past latest will get merged into less-than-latest but still semver-compatible ranges.

To fix that, and turn this into a proper guarantee, package manager authors would have to forego the point I quoted and make the optimization pass be aware that the latest heuristic is an actual semantic block (as in, it's not here just to be convenient, but it has strong implications in terms of package compatibility, similar to peer dependencies), which would go into the problems I detailed earlier.

Fairly shortly afterwards, users got annoyed that their dependency didn't get the "default" version when they had a dependency range that included a release that wasn't yet ready to be the default installed version

It's still unclear to me why those users don't use prereleases, whose purpose seem to be exactly this? To be clear, I'm not saying the use case doesn't exist, but I'm wondering if perhaps the way it got solved isn't to fit a square in a circular box. It works, but you see holes on the side...

[ljharb]

To be clear, I’m always fine with ranges resolving past latest in some cases - i just don’t want the majority of cases to do so. I don’t actually want or need a guarantee.