Installing deps with range ^ doesn't pick the latest available version

[scinos]

What version of Bun is running?

v0.6.15 (1790357)

What platform is your computer?

Darwin 21.6.0 arm64 arm

What steps can reproduce the bug?

Create a package with a package.json like:

{
  "name": "my-package",
  "dependencies": {
    "minimatch": "^3.0.4"
  }
}

Then run bun install

What is the expected behavior?

I'd expect to have minimatch@3.1.2 as a dependency, as it is the highest available version that matches the range ^3.0.4, as shown by npm info minimatch versions:

What do you see instead?

minimatch@3.0.8 is installed, as shown by bun pm ls --all:

Additional information

Checking the ranges and versions in https://semver.npmjs.com/ for minimatch and ^3.0.4, I saw 3.0.8 is listed after 3.1.2:

Looks like it was released later too:

No idea if this is related or is a red herring

[ArnaudBarre]

Yep I don't know if this related to the state of my local cache, but on an empty dir running bun install eslint --yarn
gives this in the yarn.lock

minimatch@^3.0.5:
  version "3.0.8"
  resolved "https://registry.npmjs.org/minimatch/-/minimatch-3.0.8.tgz"
  integrity sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==
  dependencies:
    brace-expansion "^1.1.7"

minimatch@^3.1.1, minimatch@^3.1.2:
  version "3.1.2"
  resolved "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz"
  integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
  dependencies:
    brace-expansion "^1.1.7"

[Jarred-Sumner]

I suspect it's a bug where ^3.0.x gets treated as > 3.0.x and < 3.0.9999999, instead of > 3.0.x and < 4.0.0

[cainrus]

Guys, it seems to me that everything works as it should, because ^(caret) only updates the patch version

[scinos]

Caret ranges should update minor as well. From the npm docs ( https://docs.npmjs.com/cli/v6/using-npm/semver#caret-ranges-123-025-004):

Allows changes that do not modify the left-most non-zero digit in the

[major, minor, patch] tuple. In other words, this allows patch and minor updates for versions 1.0.0 and above El lun, 28 ago 2023, 1:44 p. m., sergei.tarassov ***@***.***> escribió:

…

Guys, it seems to me that everything works as it should, because ^(caret) only updates the patch version — Reply to this email directly, view it on GitHub <#3873 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHOGVYDZWGSJGQ4QYWX2QTXXSACFANCNFSM6AAAAAA24H3ISA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[cainrus]

@scinos You're absolutely right! 👍 I was confused with the tilde behavior

[mleonowicz]

Any updates in the issue? I am having (I think) a similar problem.
When having "vue-toastification": "^2.0.0-rc.5" in my package.json and using npm install I get version ^2.0.0-rc.5, but when using bun install I get 2.0.0-dev.1.

Running npm info vue-toastification results in:

vue-toastification@1.7.14 | MIT | deps: none | versions: 63
Toasts for Vue made easy!
https://github.com/Maronato/vue-toastification#readme

keywords: vue, notification, toast

dist
.tarball: https://registry.npmjs.org/vue-toastification/-/vue-toastification-1.7.14.tgz
.shasum: 4d6af4085f7122463c2821a27f851898b265cc85
.integrity: sha512-khZR8t3NWZ/JJ2MZxXLbesHrRJ8AKa75PY5Zq8yMifF9x8lHq8ljYkC0d2PD9yahooygQB5tcFyRDkbbIPx8hw==
.unpackedSize: 562.0 kB

maintainers:
- maronato <gustavomaronato@gmail.com>

dist-tags:
dev: 2.0.0-dev.1  latest: 1.7.14    next: 2.0.0-rc.5  

published a year ago by maronato <gustavomaronato@gmail.com>

[WbaN314]

I can confirm the same issue with bun v.1.0.1 where "lines-and-columns": "^1.1.6" downloads 1.2.0 instead of 1.2.4. According to https://semver.npmjs.com/ the ^1.1.6 matching versions are:

1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4

1.2.0 is even marked as deprecated. Tried both with filled and empty bun cache.

I have not much understanding of Zig but there are not many test cases for "^" semvers in https://github.com/oven-sh/bun/blob/main/src/install/semver.zig, maybe someone who knows the language can spot a bug at first glance.

[AndriiZelenskyi]

Hey, team! Thank you for the fantastic product. We are trying to add it to the production project. In the 1.0.3 version, we get the same error described here. You can check out the lines-and-columns dependency as an example.

After patching the dependency, I got the problem with one more dependency. So, we are blocked because of this issue. I'm surprised that this issue gets such a low activity.

Dependency list

  "devDependencies": {
    "@babel/core": "^7.20.5",
    "@babel/eslint-parser": "^7.19.1",
    "@babel/plugin-transform-runtime": "^7.19.6",
    "@babel/preset-env": "^7.20.2",
    "@babel/preset-react": "^7.18.6",
    "@babel/preset-typescript": "^7.18.6",
    "@babel/runtime": "^7.20.6",
    "@svgr/webpack": "^6.5.1",
    "@testing-library/jest-dom": "^5.16.5",
    "@types/babel__core": "^7.1.20",
    "@types/react-csv": "^1.1.3",
    "@types/react-modal": "^3.13.1",
    "@types/styled-components": "^5.1.26",
    "@types/testing-library__jest-dom": "^5.14.5",
    "@typescript-eslint/eslint-plugin": "^4.33.0",
    "@typescript-eslint/parser": "^4.29.1",
    "babel-jest": "^29.3.1",
    "concurrently": "^6.2.1",
    "cross-env": "^7.0.3",
    "eslint": "^7.32.0",
    "eslint-config-airbnb": "^18.2.1",
    "eslint-config-airbnb-typescript": "^12.3.1",
    "eslint-config-prettier": "^8.5.0",
    "eslint-config-ts-react-important-stuff": "^3.0.0",
    "eslint-import-resolver-webpack": "^0.13.2",
    "eslint-plugin-import": "^2.26.0",
    "eslint-plugin-jest": "^24.4.0",
    "eslint-plugin-jsx-a11y": "^6.6.1",
    "eslint-plugin-node": "^11.1.0",
    "eslint-plugin-prettier": "^4.2.1",
    "eslint-plugin-promise": "^6.1.1",
    "eslint-plugin-react": "^7.31.11",
    "eslint-plugin-react-hooks": "^4.6.0",
    "eslint-plugin-sonarjs": "^0.16.0",
    "file-loader": "^6.2.0",
    "husky": "^7.0.2",
    "identity-obj-proxy": "^3.0.0",
    "jest": "^29.3.1",
    "jest-cli": "^29.3.1",
    "jest-sonar-reporter": "^2.0.0",
    "jsdom": "^22.1.0",
    "openapi-client-axios-typegen": "^6.0.0",
    "prettier": "^3.0.3",
    "pretty-quick": "^3.1.3",
    "ts-config-single-spa": "^3.0.0",
    "ts-jest": "^29.0.3",
    "typescript": "4.9.3",
    "webpack": "^5.75.0",
    "webpack-cli": "^5.0.0",
    "webpack-config-single-spa-react": "^4.0.4",
    "webpack-config-single-spa-react-ts": "^4.0.4",
    "webpack-config-single-spa-ts": "^4.1.3",
    "webpack-dev-server": "^4.11.1",
    "webpack-merge": "^5.8.0"
  },
  "dependencies": {
    "@emotion/react": "^11.10.4",
    "@emotion/styled": "^11.10.5",
    "@mergeapi/react-merge-link": "^1.2.3",
    "@mui/icons-material": "^5.10.9",
    "@mui/material": "^5.10.11",
    "@mui/x-date-pickers": "^5.0.3",
    "@okta/okta-auth-js": "^7.1.0",
    "@okta/okta-react": "^6.7.0",
    "@react-types/switch": "^3.1.4",
    "@reduxjs/toolkit": "^1.8.3",
    "@sentry/react": "^7.21.1",
    "@sentry/tracing": "^7.17.3",
    "@szhsin/react-menu": "^2.3.4",
    "@tanstack/react-query": "^4.29.19",
    "@testing-library/react": "^12.1.5",
    "@testing-library/react-hooks": "^8.0.1",
    "@types/jest": "^29.2.3",
    "@types/react": "^17.0.45",
    "@types/react-dom": "^17.0.9",
    "@types/systemjs": "^6.13.0",
    "@types/webpack-env": "^1.18.0",
    "@types/yup": "^0.29.13",
    "@workmotion/feature-flags-library": "^0.2.0",
    "axios": "^0.24.0",
    "date-fns": "^2.28.0",
    "dotenv-webpack": "^8.0.1",
    "formik": "^2.2.9",
    "jest-environment-jsdom": "^29.5.0",
    "node-polyfill-webpack-plugin": "^2.0.1",
    "openapi-client-axios": "^4.3.3",
    "rc-dropdown": "^4.0.1",
    "rc-pagination": "^3.2.0",
    "react": "^17.0.2",
    "react-avatar": "^5.0.3",
    "react-csv": "^2.2.2",
    "react-dom": "^17.0.2",
    "react-dropzone": "^14.2.3",
    "react-error-boundary": "^3.1.4",
    "react-infinite-scroll-component": "^6.1.0",
    "react-modal": "^3.16.1",
    "react-phone-number-input": "^3.2.12",
    "react-redux": "^8.0.2",
    "react-router-dom": "^6.4.3",
    "react-toastify": "^7.0.4",
    "redux": "^4.2.0",
    "remark": "^14.0.2",
    "single-spa": "^5.9.3",
    "single-spa-react": "^4.3.1",
    "styled-components": "^5.3.3",
    "use-debounce": "^9.0.1",
    "workmotion-design-system": "^4.60.3",
    "yup": "^0.32.11"
  },

[marcinwilkdev]

I think this function is the problem https://github.com/oven-sh/bun/blame/5d09a061004804e7f6e7cf55c3d30068efa33387/src/install/semver.zig#L1270

This functions only checks if two compared versions contain tag, and then compares their [major, minor, patch], but as in https://github.com/npm/node-semver/blob/14d263faa156e408a033b9b12a2f87735c2df42c/README.md?plain=1#L181 specification it should always return false if compared tags are different.

[scinos]

I'm seeing this behavior with ^3.0.4, 3.0.8 and 3.1.2, no tags involved. But @marcinwilkdev comment might explain #3684 ?