By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

[CodeArtifact] [Bug] Upstream repository for npm has different interpretation (breaking change) to "latest version" than https://registry.npmjs.org/

0

Description of setup

The web app my team is working on uses yarn as the node package manager with the registry hosted at a CodeArtifact registry. Our team's private npm packages are available on this registry. Our CodeArtifact registry is also configured to have an upstream repository. This upstream repository is connected to https://registry.npmjs.org/.

Issue

Our web app use multiple packages that have a dependency on "@types/node": "*" (see here). At the time of writing, these are the 5 latest versions sorted in order of their release date. 12.20.47 16.11.26 17.0.21 17.0.20 17.0.19

Given that the dependencies in our app have @types/node: * as a dependency, I would expect that doing yarn install installs the latest version. In the list above, that would be version 17.0.21.

However, when we are doing yarn install with the registry settings to the AWS CodeArtifact registry, we get the version 12.20.47, which is the latest in terms of release date but not the latest in terms of semantic versioning.

Proposal

Can you look at fixing the issue with upstream repositories connected to the public npm registry so that the latest version is always the latest semantic version rather than the latest release date?

Minimum replication

Here is a minimal replication for the issue

package.json

{
  "name": "demoBug",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "dependencies": {
    "ioredis": "4.28.1"
  },
  "devDependencies": {
    "@types/node": "16.11.9",
    "@types/ioredis": "4.28.1"
  },
  "author": "",
  "license": "ISC"
}

Notice how @types/ioredis is the package that has a dependency on @types/node: "*".

.npmrc

registry="https://registry.yarnpkg.com"

.yarnrc

registry "https://registry.yarnpkg.com"

The result in the yarn.lock file is what is expected.

yarn.lock (with integrity hash removed)

...
"@types/node@*":
  version "17.0.21"
  resolved "https://registry.yarnpkg.com/@types/node/-/node-17.0.21.tgz#864b987c0c68d07b4345845c3e63b75edd143644"

"@types/node@16.11.9":
  version "16.11.9"
  resolved "https://registry.yarnpkg.com/@types/node/-/node-16.11.9.tgz#879be3ad7af29f4c1a5c433421bf99fab7047185"
...

See how the version of @types/node is at the latest semantic version (at time of writing)

Now if we alter .npmrc and .yarnrc so that the default registry is an AWS CodeArtifact registry.

.npmrc

registry="<URL to repository for in AWS CodeArtifact>"

.yarnrc

registry "<URL to repository for in AWS CodeArtifact>"

then this changes a change in yarn.lock when reinstalling npm packages (after removing any existing yarn.lock and node_modules/

yarn.lock

"@types/node@*":
  version "12.20.47"
  resolved "https://registry.yarnpkg.com/@types/node/-/node-17.0.21.tgz#864b987c0c68d07b4345845c3e63b75edd143644"

"@types/node@16.11.9":
  version "16.11.9"
  resolved "https://registry.yarnpkg.com/@types/node/-/node-16.11.9.tgz#879be3ad7af29f4c1a5c433421bf99fab7047185"

Notice the difference in versions for @types/node, even though the upstream repository in AWS is a mirror for the npm public registry.

Topics
Developer Tools
Tags
AWS CodeArtifact
Language
English
AWS-User-7231096
asked 2 years ago163 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content