Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Loose range parser incorrectly recognizes some URLs as valid version ranges #42

tmhedberg opened this Issue · 2 comments

2 participants


Under specific circumstances, parseRange will successfully parse a URL string as a valid SemVer range, if loose parsing is enabled.

This is, for instance, problematic for npm (or more correctly, the read-installed library upon which npm depends), as it relies on node-semver failing to parse a string in order to determine if a given string is a URL. npm dependency version strings which node-semver cannot parse (e.g. Git URLs) are assumed to be satisfied by any installed version of the specified package, whereas those which it can parse are only satisfied if the installed version of the package is covered by the parsed range.

One specific condition under which this bug can be reproduced (though I doubt that it is limited to only this case) occurs when the Git URL contains a username and password (i.e. for HTTP basic authentication) and the password happens to end in a string of digits beginning with a zero.

Here is a minimal example:

var semver = require('semver');

new semver.Range('git+', true);
// Fails to parse, as expected

new semver.Range('git+', true);
// Fails to parse, as expected

new semver.Range('git+', true);
// Successfully parses as: <SemVer Range ">=123.0.0-0 <124.0.0-0">

If the final URL in the above example is used as a dependency version string in an npm package.json file, npm will incorrectly consider the dependency unsatisfied unless the installed version number of the package in question coincidentally happens to fall between 123.0 and 124.0.


Ha! Yeah, that's a bug.

@isaacs isaacs closed this issue from a commit
@isaacs isaacs Trim comparators properly
Remove the extra space

Fixes GH-42
@isaacs isaacs closed this in 25e4381


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.