Description of setup
The web app my team is working on uses yarn
as the node package manager with the registry hosted at a CodeArtifact registry. Our team's private npm packages are available on this registry. Our CodeArtifact registry is also configured to have an upstream repository. This upstream repository is connected to https://registry.npmjs.org/
.
Issue
Our web app use multiple packages that have a dependency on "@types/node": "*"
(see here). At the time of writing, these are the 5 latest versions sorted in order of their release date.
12.20.47
16.11.26
17.0.21
17.0.20
17.0.19
Given that the dependencies in our app have @types/node: *
as a dependency, I would expect that doing yarn install
installs the latest version. In the list above, that would be version 17.0.21
.
However, when we are doing yarn install
with the registry settings to the AWS CodeArtifact registry, we get the version 12.20.47
, which is the latest in terms of release date but not the latest in terms of semantic versioning.
Proposal
Can you look at fixing the issue with upstream repositories connected to the public npm registry so that the latest version is always the latest semantic version rather than the latest release date?
Minimum replication
Here is a minimal replication for the issue
package.json
{
"name": "demoBug",
"version": "1.0.0",
"description": "",
"main": "index.js",
"dependencies": {
"ioredis": "4.28.1"
},
"devDependencies": {
"@types/node": "16.11.9",
"@types/ioredis": "4.28.1"
},
"author": "",
"license": "ISC"
}
Notice how @types/ioredis
is the package that has a dependency on @types/node: "*"
.
.npmrc
registry="https://registry.yarnpkg.com"
.yarnrc
registry "https://registry.yarnpkg.com"
The result in the yarn.lock
file is what is expected.
yarn.lock (with integrity hash removed)
...
"@types/node@*":
version "17.0.21"
resolved "https://registry.yarnpkg.com/@types/node/-/node-17.0.21.tgz#864b987c0c68d07b4345845c3e63b75edd143644"
"@types/node@16.11.9":
version "16.11.9"
resolved "https://registry.yarnpkg.com/@types/node/-/node-16.11.9.tgz#879be3ad7af29f4c1a5c433421bf99fab7047185"
...
See how the version of @types/node
is at the latest semantic version (at time of writing)
Now if we alter .npmrc
and .yarnrc
so that the default registry is an AWS CodeArtifact registry.
.npmrc
registry="<URL to repository for in AWS CodeArtifact>"
.yarnrc
registry "<URL to repository for in AWS CodeArtifact>"
then this changes a change in yarn.lock
when reinstalling npm packages (after removing any existing yarn.lock
and node_modules/
yarn.lock
"@types/node@*":
version "12.20.47"
resolved "https://registry.yarnpkg.com/@types/node/-/node-17.0.21.tgz#864b987c0c68d07b4345845c3e63b75edd143644"
"@types/node@16.11.9":
version "16.11.9"
resolved "https://registry.yarnpkg.com/@types/node/-/node-16.11.9.tgz#879be3ad7af29f4c1a5c433421bf99fab7047185"
Notice the difference in versions for @types/node
, even though the upstream repository in AWS is a mirror for the npm public registry.