[RRFC] Do not publish when "engines" field has an invalid range #259
Unanswered
fabiosantoscode
asked this question in
RRFC
Replies: 1 comment 2 replies
-
Mismatching engines never prevents installation by default in npm, unless the user has engine-strict enabled. That said, more safety and validation as part of publishing seems like a great idea. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Problem statement
It's possible to publish a package to npm, which cannot be installed by yarn due to an invalid "engines" field.
Background
Today I published Terser 5.3.6, and it included a change that specified which node versions are compatible with it, through the "engines" package.json field.
However, I was too careless and shipped an invalid version range
^10.0.0,^11.0.0,^12.0.0,>=14.0.0
.After I published, Terser users quickly opened issues and PRs saying they couldn't install the package using yarn.
Proposed solution
I believe that
npm publish
could have checked theengines.node
field as well asengines.npm
and made sure that it's a valid semver range.If it's not a valid semver range, it would exit with a non-zero code.
Conclusion
I take full responsibility for my dumb mistake, but I believe there could have been a mechanism in
npm publish
to stop me from publishing a package with an invalid version range.Beta Was this translation helpful? Give feedback.
All reactions