Skip to content
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.

don't allow to publish legacy versions with implicit latest tag #4709

Closed
rlidwka opened this issue Feb 18, 2014 · 6 comments
Closed

don't allow to publish legacy versions with implicit latest tag #4709

rlidwka opened this issue Feb 18, 2014 · 6 comments
Labels
already-looked-at bot-closed feature-request patch-welcome ux

Comments

@rlidwka
Copy link
Contributor

rlidwka commented Feb 18, 2014

Just a crazy idea to mitigate the issue with latest tag (#3397):

$ npm init
$ npm version 2.0.0
v2.0.0
$ npm publish 
$ npm version 1.9.0
v1.9.0

# this should fail:
$ npm publish

# this should pass:
$ npm publish --tag latest

# or maybe this instead?
$ npm publish --force

I'm not sure it's a good one (I would be in favor of removing latest tag entirely), but maybe it's worth a shot.
@smikes
Copy link
Contributor

smikes commented Feb 22, 2015

So to spec out this feature in pseudo-code, it looks like this:

get current from registry (dist-tags, versions)
if (semver.gt(registry.latest, package.version) &&
    npm.config.get('tag') === 'latest') {
    // error: you are about to publish `package.version` as `latest`,
    // but `latest` is currently `registry.latest` ( >= `package.version`)
    // you can override this guard with `--force`
    exit process
}

@smikes
Copy link
Contributor

smikes commented Feb 22, 2015

Once concern is that the way config is currently implemented, there is no distinction between

npm publish
npm publish --tag latest

So making a behavioral distinction based on that would be tricky. We do already have a --force config parameter, so I would probably hook the functionality off of that.

@smikes smikes mentioned this issue Feb 22, 2015
Closed
@othiym23
Copy link
Contributor

This is enough of a footgun to have bitten several members of the CLI team over the years; that implies that it's something we should definitely address. There's a bit of trickiness to deal with the issue that @smikes mentions, but if you know about npm.config.get('tag', 'cli') then it's easy enough to work around. The CLI team will take this on eventually, but it may be a while, so any of y'all who feel strongly about this should feel free to put together a patch.

@iarna
Copy link
Contributor

iarna commented Jun 22, 2016
edited

Docs for npm.config.get are over here: https://www.npmjs.com/package/config-chain#chaingetkey-name

And possible sources are: builtin, global, user, project, env, cli

@ljharb
Copy link
Contributor

ljharb commented Jun 28, 2016

I just published https://twitter.com/ljharb/status/747909983652585473 / https://www.npmjs.com/package/safe-publish-latest to help with this - I'd love to see something like this available in npm natively (just like the in-publish package's effects)

@npm-robot
Copy link

We're closing this issue as it has gone thirty days without activity. In our experience if an issue has gone thirty days without any activity then it's unlikely to be addressed. In the case of bug reports, often the underlying issue will be addressed but finding related issues is quite difficult and often incomplete.

If this was a bug report and it is still relevant then we encourage you to open it again as a new issue. If this was a feature request then you should feel free to open it again, or even better open a PR.

For more information about our new issue aging policies and why we've instituted them please see our blog post.

@victornoel victornoel mentioned this issue May 26, 2018
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
already-looked-at bot-closed feature-request patch-welcome ux
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ljharb @othiym23 @iarna @rlidwka @smikes @npm-robot