fix(npm): respect install_before when resolving dist-tag versions

[webkaz]

Summary

• When install_before is set (per-tool or global), NPMBackend::latest_stable_version now delegates to latest_version_with_opts (which filters by created_at timestamps) instead of using the dist-tags shortcut that returns the absolute latest version
• Pre-release versions are already excluded by VERSION_REGEX in fuzzy_match_filter, so the resolved version is always a stable release — same as dist-tags.latest

Fixes #9136

Details

NPMBackend::latest_stable_version overrides the default trait implementation to use npm view <pkg> dist-tags --json. This shortcut ignores install_before date filtering.

The primary install path (mise install) is unaffected because effective_before_date sets ResolveOptions.before_date, and latest_version_with_opts routes through list_versions_matching_with_opts — bypassing latest_stable_version entirely.

However, callers that don't go through effective_before_date — such as mise latest and mise edit — reach latest_stable_version directly. The fix adds a guard that checks per-tool install_before (via config.get_tool_opts) and the global setting, then delegates to the existing date-filtered resolution path.

Note on pre-release versions

The fallback path uses fuzzy_match_filter which excludes pre-release versions (-alpha, -beta, -rc, etc.) via VERSION_REGEX. In the rare case where a package tags a pre-release as latest in dist-tags, the fallback would resolve to the newest stable version instead. This only affects the install_before code path and matches how all other backends handle latest.

Test plan

• New E2E test e2e/backend/test_npm_install_before: uses mise latest with MISE_INSTALL_BEFORE to verify latest_stable_version respects the date cutoff
• Existing unit tests pass (cargo test --bin mise backend::npm::tests — 8/8)
• cargo check passes
• CI: macOS unit, Windows unit, Windows E2E all pass

Generated with Claude Code

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[gemini-code-assist]

Code Review

This pull request fixes a bug in the NPM backend where the install_before setting was ignored during version resolution because the dist-tags fast path always returned the absolute latest version. The fix involves bypassing this fast path when a date cutoff is configured. Feedback suggests updating the new E2E tests to use the mise latest command directly to ensure the specific code path is exercised, and considering a more generalized fix across other backends that might share this behavior.

[Copilot]

Pull request overview

This PR updates the npm backend’s “latest stable” resolution so global install_before is respected even in code paths that call latest_stable_version directly (notably mise latest / mise edit), avoiding the dist-tags.latest shortcut which ignores date filtering.

Changes:

• In NPMBackend::latest_stable_version, detect global Settings::install_before and delegate to latest_version_with_opts with a before_date cutoff.
• Add a new E2E test intended to cover install_before behavior for the npm backend.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
src/backend/npm.rs	Bypasses dist-tags when global install_before is set, routing through date-filtered version resolution.
e2e/backend/test_npm_install_before	Adds an E2E regression test around install_before + npm:prettier resolution.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR fixes a bug where NPMBackend::latest_stable_version ignored install_before date filtering because it used the dist-tags shortcut, which always returns the absolute latest version. The fix adds a guard that checks both the global Settings::get().install_before and per-tool opts, then delegates to latest_version_with_opts (which filters by created_at timestamps) when a cutoff date is present. An E2E test using mise latest npm:prettier with MISE_INSTALL_BEFORE confirms the regression is resolved.

Confidence Score: 5/5

This PR is safe to merge; the fix is targeted and correct with no regressions on the unfiltered path.

The change is a focused guard in a single method. The date-filtered path (latest_version_with_opts) is the already-tested, existing mechanism used by mise install; this PR just routes mise latest/mise edit into it when install_before is set. The cache bypass is intentional — caching an unfiltered 'absolute latest' would defeat the filter. The E2E test directly exercises the fixed code path with stable historical data. No existing tests are broken, and there are no correctness, data-integrity, or security concerns.

No files require special attention.

Important Files Changed

Filename	Overview
src/backend/npm.rs	Adds a guard in latest_stable_version to bypass the dist-tags shortcut and delegate to date-filtered path when install_before is set; logic is correct and the cache bypass is intentional.
e2e/backend/test_npm_install_before	New E2E regression test using mise latest npm:prettier to verify date-filtered resolution; uses stable historical version dates so the assertions should remain reliable.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["latest_stable_version(config)"] --> B{install_before set?}
    B -- "global Settings or\nper-tool opts" --> C["latest_version_with_opts\n(query=None, before=Some(ts))"]
    B -- "not set" --> D["latest_version_cache (locked)"]
    C --> E["list_versions_matching_with_opts\n(query='latest', before=Some(ts))"]
    E --> F["_list_remote_versions\nnpm view versions time --json"]
    F --> G["VersionInfo::filter_by_date"]
    G --> H["fuzzy_match_filter\nexclude pre-releases via VERSION_REGEX"]
    H --> I["find_match_in_list → last()"]
    D --> J["npm view dist-tags --json\n→ dist_tags['latest']"]
    I --> K["Date-filtered stable version"]
    J --> L["Absolute latest version"]

Loading

_{Reviews (2): Last reviewed commit: "fix(npm): also check per-tool install_be..." | Re-trigger Greptile}

[webkaz]

Thanks @risu729 — updated in ea45fc0. Now checks per-tool install_before via config.get_tool_opts(self.ba()) before falling back to the global setting.