Make default --save semver option configurable

[timoxley]

Allowing the default semver range to to be configurable and passed on the command line will probably get more developers making a conscious choice about their semver ranges on a per-package basis.

Currently, it seems if you don't want to use the default semver, you're effectively punished by npm as you can no longer use any of the --save conveniences that it provides.

Most will pick the default semver range and not give it another thought simply because it's convenient. Maybe that's a good thing though, as ~ is probably better than everyone getting paranoid and using fixed ranges all the time.

Perhaps the issue of whether to use ~ or ^ is solved simply by making it configurable globally and at --save time?

Something like:

$ npm config set semver-range=close # set default to use 'close' range 
$ npm install --save [--range=^ | --range=compat[ible]] express # use ^
$ npm install --save [--range=~ | --range=close | --close] express # use ~
$ npm install --save [--no-range | --range=false] express # use exact version

or perhaps the range keyword is semver:

$ npm install --save [--semver=^ | --semver=compat[ible]] express # use ^
$ npm install --save [--semver=~ | --semver=close | --close] express # use ~
$ npm install --save [--no-semver | --semver=false] express # use exact version

Perhaps packages themselves could indicate how strict they are about semver. i.e. When npm installs a package with --save, it will use the package's 'preferred semver' if the user has not overridden it. Ideally, everyone follows semver strictly but as there's no real way to enforce semver, this doesn't really happen in reality.

e.g. specifying preferred semver via package.json:

{
 "name": "express",
 "preferredSemver": "^", // patch and minors probably safe
}

{
 "name": "mux-demux",
 "preferredSemver": "~", // I follow strict semver
}

{
 "name": "underscore",
 "preferredSemver": "@" // no semver, please use fixed versions
}

{
 "name": "polyfill-webcomponents",
 "preferredSemver": "*" // yolo
}

[timoxley]

Inspired by #4587

[timoxley]

cc @balupton

[balupton]

+1. Although for me, I'd just be happy with a revert of #4587

[domenic]

-1.

Currently, it seems if you don't want to use the default semver, you're effectively punished by npm as you can no longer use any of the --save conveniences that it provides.

This is a good thing. If you want npm's conveniences, you have to buy into npm's paradigm.

[isaacs]

Also -1.

--save is designed to take advantage of the common usage of SemVer versions. Looking at how most packages manage their versions, ^ is almost always the ideal choice. Nudging people towards using ^ will make us all more consistent in how we version our stuff, which is the explicit goal of SemVer.

~ is borrowed from rubygems. It dates from a time before common acceptance of SemVer paradigms, and is routinely confusing to people. Making it not confusing (ie, making it do what ^ does) makes people confused who are familiar with how it works in rubygems. It is problematic, and we should not be encouraging its use.

I do not want to add multiple different configurable ways to do this. However, I would be ok with adding a single --save-exact | -E boolean option, which causes it to always save the exact version number installed. Patch welcome for that.

[timoxley]

Points noted. Thanks for elaborating @isaacs

[balupton]

How does something like this get the attention of @domenic and @isaacs but missing packages of #4596 don't?

[isaacs]

@balupton Well, about a dozen people (including you) pinged me personally on twitter about this issue, and one person IM'ed me directly asking for a response. I'll dig into #4596 today.