inconsistent npm version resolution

[rnbguy]

I am trying to an npm package that has a dependency antlr4ts@^0.5.0-alpha.4. 0.5.0-alpha.4 is marked as latest, but Deno pulls antlr4ts@0.5.0-dev.

This doesn't work for me - as antlr4ts@0.5.0-dev has breaking changes from antlr4ts@0.5.0-alpha.4.

I do agree that 0.5.0-dev comes after 0.5.0-alpha.4 - even, node semver confirms this.

$ deno run npm:semver -h
Usage: semver [options] <version> [<version> [...]]
Prints valid versions sorted by SemVer precedence
$ deno run npm:semver ^0.5.0-alpha.4 0.5.0-beta
0.5.0-beta

But somehow pacote (used inside npm) resolves antlr4ts@^0.5.0-alpha.4 to 0.5.0-alpha.4.

$ deno run -A npm:pacote resolve antlr4ts@^0.5.0-alpha.4
http fetch GET 200 https://registry.npmjs.org/antlr4ts 1ms (cache revalidated)
https://registry.npmjs.org/antlr4ts/-/antlr4ts-0.5.0-alpha.4.tgz

So I did some digging and realized that pacote uses npm-pick-manifest, that has a particular logic, which indicates that if a given tag (defaults to latest) matches with the given version requirement, npm uses the tagged version directly - it doesn't iterate over the versions array.

So in my case, npm-pick-manifest was using the default latest tag and matching with ^0.5.0-alpha.4 and returning early. Whereas Deno npm resolver was going through the version array and picking the latest by semver spec i.e. 0.5.0-dev.