npm / node-semver Goto Github PK

In the documentation is written:
Ranges can be joined with either a space (which implies "and") [...]

But it does not work with space. It always return false.

Here is an example:

> semver.satisfies('1.2.3', "~1.2.1")
true
> semver.satisfies('1.2.3', "1.2.3")
true
> semver.satisfies('1.2.3', "~1.2.1 1.2.3")
false
> semver.satisfies('1.2.3', "1.2.3 1.2.3")
false

all this cases should return true.

I tested is with [email protected] and [email protected]

semver v1.1.4

console.log(semver.gte('2.1', '3.2'),
            semver.gte('3.1', '3.2'),
            semver.gte('3.2', '3.2'),
            semver.gte('3.3', '3.2'));

I expected to see false, false, true, true. Instead I see true, true, true, true.

I have a situation where I have an API version and my web frontend is aware of that version at application start. When doing live updates of the backend, I want to be able to decide which connections coming from frontend can be considered API stable with my backend (does this make sense?).

Example

1. Server runs version 0.1.2
2. User starts and thus now runs on version 0.1.2
3. Server application gets upgraded to 0.1.3
4. User interacts with server, but now there is a version mismatch.

In this case, I want to say 0.1.2 satisfies 0.1.x, so the APIs are compatible. Because all version information comes from variables here, I'm wondering how I should go about generating the 0.1.x range, or >=0.1.0 <0.2.0 range. To generate the latter I was thinking of this:

var version = '0.1.2';
var str = '>=' + semver.truncate(version, 'patch') + ' <' + semver.inc(version, 'minor');
// now do a satisfies check

The inc() method already exists, but truncate() does not. Do you think it would make sense to add a method like that?

I guess, semver do not like the 'x' notation.

The range is reported as valid:

> semver.validRange('5.0.0 - 7.2.x')
'5.0.0 >=7.2.0- <7.3.0-'

But satisfies a version in that range do not work:

> semver.satisfies('6.2.3', '5.0.0 - 7.2.x')
false

But that should return true.

I tested it with [email protected]

I wrote a site with semver 1.1.4. Now I'm trying to update it, and I find that the current version is 2.2.1, but there is no history.md file so I don't know what's changed or how I'll have to modify my code if I update. I don't really want to have to read every commit between 1.1.4 and now. Is there no document somewhere that gives a simple straightforward explanation like "change this function name" or "add this parameter to this function"?

When using browserify on a module using semver, browserify tries to include tap and fails.

This issue aside, it would be slightly cleaner to split the tests in a tests.js file and call this one with tap, right ?

Thanks!

Expected:

satisfies('1.2.3', '^1.2.2') // true
satisfies('1.2.3-a', '^1.2.2') // false
satisfies('1.2.3-b', '^1.2.3-a') // true
satisfies('1.2.4-a', '^1.2.3-a') // false

^x.y.z-pre should match >= prereleases on x.y.z, but not on any other version.
^x.y.z should not match any prerelease versions, period.

Testing 2.2.1 and everything that's not already clean gets null.

> s.clean('1.3.2');
'1.3.2'
> s.clean('~1.3.2');
null
> s.clean('=1.3.2');
null
> s.clean('  =v1.2.3   ');
null

With [email protected] I am seeing the following understandable, yet semantically incorrect behavior, based on this definition of the inc method in the README:

Return the version incremented by the release type (major, minor, patch, or prerelease), or null if it's not valid.

// 0.1.2 incremented via "prerelease" really decremements to
// 0.1.2-0, instead of incrementing to 0.1.3-0.
semver.inc('0.1.2', 'prerelease').toString() // '0.1.2-0'

// Specifically:
semver.gt('0.1.2-0', '0.1.2') // false

While not "semantically correct," the aforementioned behavior is understandable, because the library has no way of knowing if the user intends to increment from 0.1.2 to 0.1.3-0 or 0.2.0-0 or 1.0.0-0. The current solution is to do this:

// This feels awkward. Is there a better way? Should it at
// least be documented?
semver.parse('0.1.2').inc('patch').inc('prerelease').toString() // '0.1.3-0'
semver.parse('0.1.2').inc('minor').inc('prerelease').toString() // '0.2.0-0'
semver.parse('0.1.2').inc('major').inc('prerelease').toString() // '1.0.0-0'

This behavior, however, is just incorrect:

// 0.1.3-0 incremented via "patch" really double-increments
// past 0.1.3 to 0.1.4. This should return '0.1.3'.
semver.inc('0.1.3-0', 'patch').toString() // '0.1.4'

// The "minor" and "major" release types appear to work fine,
// however.
semver.inc('0.1.3-0', 'minor').toString() // '0.2.0'
semver.inc('0.1.3-0', 'major').toString() // '1.0.0'

v.satisfies('1.4.7','~1.2') should return true based on docs:

~1.2 := >=1.2.0 <2.0.0

instead it returns false

Not pressing or urgent, but mostly for API symmetry, it'd be nice to have truncate/decrement functions.

1. semver.truncate('1.2.3-foo', 'patch') == '1.2.3'
2. semver.truncate('1.2.3', 'minor') == '1.2.0'
3. semver.truncate('1.2.3', 'major') == '1.0.0'
4. semver.dec('1.2.3-foo', 'patch') == '1.2.2'
5. semver.dec('1.2.3', 'minor') == '1.1.0'
6. semver.dec('1.2.3', 'major') == '0.0.0'

Re #46, but the use case presented there turned out to not require this functionality. It's still probably useful, though.

cc @ronkorving

Please clarify that you intent on making this code available under the MIT Open Source license. I assume that you are, but I'd rather not assume, and see the license explicitly . Thanks! Gil

when specifying a patch range, ~ means greater than of equal to the next least significant value, but before but don't go into the next range.

i.e. ~1.2.3 means, I want patches to this module, but not if it means taking a new feature.
contrast that with 1.2.3 which means only use this exact version.

indeed,

assert.deepEqual(semver.toComparators('~1.2.3'), semver.toComparators('1.2.3')) throws, as it should.

however,

you can also say '~1.2' which, if I was extending the meaning of ~ from before id expect it to give me 1.2.3, 1.3.4, but not 2.0.0.

however,

deepEqual(toComparators('~2.16'), toComparators('2.16')) does not throw!

turns out, ~ on means anything when you have a full semver and nothing when you have only one or two values.

This behaviour is documented
(although, it could be documented more clearly by saying that in ~x.y '~' is ignored.)

Would you take a patch to make ~ behave consistently?

Was this an intended change?

app0:/tmp# npm install [email protected]
npm http GET https://registry.npmjs.org/underscore.string/2.2.0-rc
npm http 404 https://registry.npmjs.org/underscore.string/2.2.0-rc
npm ERR! Error: version not found: 2.2.0-rc : underscore.string/2.2.0-rc
npm ERR!     at RegClient.<anonymous> (/usr/lib/nodejs/npm/node_modules/npm-registry-client/lib/request.js:272:14)
npm ERR!     at Request.init.self.callback (/usr/lib/nodejs/npm/node_modules/request/index.js:148:22)
npm ERR!     at Request.EventEmitter.emit (events.js:99:17)
npm ERR!     at Request.onResponse (/usr/lib/nodejs/npm/node_modules/request/index.js:876:14)
npm ERR!     at Request.EventEmitter.emit (events.js:126:20)
npm ERR!     at IncomingMessage.Request.onResponse.buffer (/usr/lib/nodejs/npm/node_modules/request/index.js:827:12)
npm ERR!     at IncomingMessage.EventEmitter.emit (events.js:126:20)
npm ERR!     at IncomingMessage._emitEnd (http.js:367:10)
npm ERR!     at HTTPParser.parserOnMessageComplete [as onMessageComplete] (http.js:149:23)
npm ERR!     at CleartextStream.socketOnData (http.js:1491:20)
npm ERR! If you need help, you may report this log at:
npm ERR!     <http://github.com/isaacs/npm/issues>
npm ERR! or email it to:
npm ERR!     <[email protected]>

npm ERR! System Linux 3.8.2-joyent-ubuntu-12-opt
npm ERR! command "nodejs" "/usr/bin/npm" "install" "[email protected]"
npm ERR! cwd /tmp
npm ERR! node -v v0.8.25
npm ERR! npm -v 1.3.0
npm ERR! 
npm ERR! Additional logging details can be found in:
npm ERR!     /tmp/npm-debug.log
npm ERR! not ok code 0

Appears semver now automatically sticks in the - to the version, which causes a miss in the npm repo.

Calling valid(null) returns false
Calling every other functions with null values works correctly.
Calling validRange(null) throws an exception:

TypeError: Cannot call method 'trim' of null
    at replaceStars (/Users/satazor/Work/twitter/bower/node_modules/semver/semver.js:119:16)
    at Object.validRange (/Users/satazor/Work/twitter/bower/node_modules/semver/semver.js:188:11)

Also calling validRange('') returns an empty string, shouldn't it return null? It's not a valid range..

(this is totally frivolous)

Hello, i am not sure if this is a bug.

I noticed that semver.clean('5.4.0~oneric+3') returns null, I can reproduce this with any version string containing ~ or +.

My workaround currently is to replace ~ and + with - before passing it.

Could the function be corrected to either strip or ignore these characters?

This is to comply with Google's Web Store manifest as found in:
http://developer.chrome.com/extensions/manifest/version.html

I think the desired behavior is either throwing an error (recommended) if max limit has been reached, or actually advance a higher hierarchy version (from patch to minor).

end result should be:
semver.inc('0.0.65535', 'patch', {max:65535})
// --> throws error 'Maximum patch version of 65535 reached'

npm WARN Invalid range in engines.node. Please see npm help json ~v0.4.7

specifically:

"engines": {
    "node": "~v0.4.7"
}

should work.

It would be nice if you could increment a given semver string. e.g.

semver.increment('0.0.0', 'build') // 0.0.0-1

semver.increment('0.0.1-1', 'build') // 0.0.1-2

semver.increment('0.0.1-1', 'patch') // 0.0.2

semver.increment('0.0.1', 'patch') // 0.0.2

etc. etc.

Under specific circumstances, parseRange will successfully parse a URL string as a valid SemVer range, if loose parsing is enabled.

This is, for instance, problematic for npm (or more correctly, the read-installed library upon which npm depends), as it relies on node-semver failing to parse a string in order to determine if a given string is a URL. npm dependency version strings which node-semver cannot parse (e.g. Git URLs) are assumed to be satisfied by any installed version of the specified package, whereas those which it can parse are only satisfied if the installed version of the package is covered by the parsed range.

One specific condition under which this bug can be reproduced (though I doubt that it is limited to only this case) occurs when the Git URL contains a username and password (i.e. for HTTP basic authentication) and the password happens to end in a string of digits beginning with a zero.

Here is a minimal example:

var semver = require('semver');

new semver.Range('git+https://user:[email protected]/foo/bar.git', true);
// Fails to parse, as expected

new semver.Range('git+https://user:[email protected]/foo/bar.git', true);
// Fails to parse, as expected

new semver.Range('git+https://user:[email protected]/foo/bar.git', true);
// Successfully parses as: <SemVer Range ">=123.0.0-0 <124.0.0-0">

If the final URL in the above example is used as a dependency version string in an npm package.json file, npm will incorrectly consider the dependency unsatisfied unless the installed version number of the package in question coincidentally happens to fall between 123.0 and 124.0.

For client-side use, if I were to add an AMD support to the definition wrapper any chance it would be accepted?

Per https://github.com/isaacs/node-semver/blob/v2.2.1/test/index.js#L405 (among others), the test cases state that, for version ranges:

• 1 := >=1.0.0-0 <2.0.0-0 (Or informally, := 1.x)

However, this handling of incomplete version numbers isn't documented.
For context, my naive interpretation based solely on the docs had been that:

• 1 := =1 := =1.0.0-0

The dependencies for one of my npm modules' package.json looks like this:

  "dependencies": {
    "chalk": "~0.4.0",
    "nopt": "~2.2.0",
    "node.extend": "~1.0.9",
    "update-notifier": "^0.1.7"
  }

The update-notifier entry here with the 'caret' (^) was added automatically by npm, when npm install update-notifier --save was run.

And as seen from this Travis build, everything works fine for v0.10.x, but for v0.8.x npm is throwing the 'No compatible version found error'. Here is the error message from the build log:

npm ERR! Error: No compatible version found: update-notifier@'^0.1.7'
npm ERR! Valid install targets:
npm ERR! ["0.1.0","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7"]
npm ERR!     at installTargetsError (/home/travis/.nvm/v0.8.26/lib/node_modules/npm/lib/cache.js:719:10)
npm ERR!     at /home/travis/.nvm/v0.8.26/lib/node_modules/npm/lib/cache.js:641:10
npm ERR!     at saved (/home/travis/.nvm/v0.8.26/lib/node_modules/npm/node_modules/npm-registry-client/lib/get.js:138:7)
npm ERR!     at Object.oncomplete (fs.js:297:15)
npm ERR! If you need help, you may report this log at:
npm ERR!     <http://github.com/isaacs/npm/issues>
npm ERR! or email it to:
npm ERR!     <[email protected]>

Got this error on the first build build 85 after this dependency was added to the package.

When the dependency in package.json was manually changed to "update-notifier": "~0.1.7" (please note the tilde), the next build (build 86) ran fine.

When the dependency was changed back to what npm injects automatically ("update-notifier": "^0.1.7"), the latest build (build 87) has failed again - only for the v0.8.x.

Googling 'npm dependency caret' brought me to this package and I thought it is better to raise this issue here than at npm.

prepublish: make throws error on windows because there no command make.

var semver = "\\s*[v=]*\\s*([0-9]+)"        // major
           + "\\.([0-9]+)"                  // minor
           + "\\.([0-9]+)"                  // patch
           + "(-[0-9]+-?)?"                 // build
           + "([a-zA-Z-+][a-zA-Z0-9-\.:]*)?" // tag

The above is the foundation of parsing in this module but it does not follow the format from the Semantic Version standard http://semver.org/

/^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/

The first capturing group is "major".

The second capturing group is "minor".

The third capturing group is "patch".

The forth capturing group is "prerelease" (not including the preceding dash delimiter between patch and prerelease).

The "build" is non-capturing because it is not to be used in any comparisons.

pretty convinced the current behaviour is broken. I usually use it with the intention of expecting at least a certain version, but anything else compatible is ok. Ex: ~1.0.2 must be at least 1.0.2 but anything up to 2.0.0 is fine. Having a specifier for indicating that you're not ok with new features is a little wonky, so IMHO this anything within the major level would make the most sense. AFAIK the only other way to specify that right now is with the more verbose >= / <= ops

> semver.lt('1.0.0-rc.2','1.0.0-rc.11');
false

This should be true based on point 11 of the semver document

http://semver.org/spec/v2.0.0-rc.2.html

It's covered on https://www.npmjs.org/doc/json.html#dependencies and is in the test suite, but it's not mentioned in the docs/README (https://github.com/isaacs/node-semver#ranges).

Relatedly, asterisk also being a synonym of x (as in e.g. 2.*.*) is also not documented anywhere AFAICT.

Firstly I recognise this is a slightly obscure use case and probably doesn't affect many (any?) other people at all. Also I have a 'good enough' workaround (instead of require('semver') simply use require('semver/semver')).

What we're doing:

• Loading node-semver via browserify.
• Running our browserified javascript through closure compiler with warning_level VERBOSE.

The errors we see:

semver.browser.js:4: ERROR - variable module is undeclared
if (typeof module === 'object' && module.exports === exports)
           ^

semver.browser.js:912: ERROR - variable define is undeclared
if (typeof define === 'function' && define.amd)
           ^

semver.browser.js:916: ERROR - variable exports is undeclared
  typeof exports === 'object' ? exports :
         ^

semver.browser.js:918: ERROR - variable semver is undeclared
  semver = {}
  ^

I'm not sure what the best fix for this would be but since it's possible to workaround it by just pointing browserify at the raw semver file (rather the semver.browser.js, which has the head.js and foot.js files sandwiching it) I was wondering why the browser property (which - and I may be wrong here - is only used by browserify?) wasn't just pointing to the semver.js file.

Alternatively the code to compile the library 'for browsers' could be switched for browserify with the standalone option, which I know to be 'closure compiler safe' - but that will increase the size of the library unnecessarily...

What do you think?

Thanks!

Matt

semver -v 1.0.0-pre2 -r ">1.0.0"
semver -v 1.0.0-pre2 -r ">1.0"

The second one passes, the first does not.
I can see why it might, but I wonder if it's intentional or an oversight?

Problem with version strings like 3.0.0alpha1

The only example of the - range operator in the README shows it being used with full versions, but some testcases have it also being used with incomplete versions, in particular with novel handling of incomplete upper-bounds: https://github.com/isaacs/node-semver/blob/v2.2.1/test/index.js#L491
This should be documented.

It's funny, the things you run into when trying to write a clean-room implementation...

The new 2.0.0-rc1 version of Semantic Versioning ( http://semver.org/ ) has a "build" part of the version number.

A build version MAY be denoted by appending a plus sign and a series of dot separated identifiers immediately following the patch version or pre-release version. Identifiers MUST be comprised of only ASCII alphanumerics and dash [0-9A-Za-z-]. Build versions satisfy and have a higher precedence than the associated normal version. Examples: 1.0.0+build.1, 1.3.7+build.11.e0f985a.

semver currently uses a minus (-) sign to delimit the build version. That's not to spec, but it would be nice if the semver package recognized the + in addition to the - for build numbers.

I currently have 2.0.1 and a 2.0.1+build.2 tags in my bower component’s repo and the 2.0.1+build.2 tag is not being recognized as 1.) valid or 2.) higher precedence then 2.0.1.

Is there a clean way to check if a range defines an upper or lower limit?

'<1.2.3' // only upper limit
'>1.0.0' // only lower limit
'>1.0.0 <1.2.3' // both limits
'<1.0.0 >1.2.3' // limitless?

My use-case has items without a semver string that must be considered to be the latest (or oldest). This is hard to combine when filtering with ranges.

I guess the follow-up question would be to extract the semvers for the 2 limits (if any).

Using version 2.0.7. Tested a few versions back (all > 2.x) with the same result.

semver = require 'semver'

out = (input) ->
    console.log input

ranges = [
    '1.1.1-123'
    '1.1.1'
    '1.1.2'
    '2.0.0'
    '1.1.0'
]

out semver.maxSatisfying ranges, '~1.1.1'  #E: 1.1.2 A: 1.1.1-123
out semver.maxSatisfying ranges, '~1.1.x'  #E: 1.1.2 A: 1.1.0
out semver.maxSatisfying ranges, '<=2.0.0' #E: 2.0.0 A: 1.1.0
out semver.maxSatisfying ranges, '>=1.1.2' #E: 2.0.0 A: 1.1.2

(Originally (wrongfully) posted on the Bower issue tracker)

I have a library that works with jQuery 2.x or jQuery 1.x. However, it's advertised as being IE8+ compatible. Because of this I want it to default to installing the jQuery 1.x dependency when you run bower install. For users who already have jquery v2 installed, though, I don't want them to get asked to resolve their dependencies, as there isn't any issue at all with them using v2.

I figured this situation is best handled by the || operator. However, because using or always picks the latest version this doesn't really work all that optimally. This is because users who type bower install will always get jquery v2.

My thought is: what if the order of or mattered? What if the first version specified is what is installed, if neither are. This would let me specify:

"jquery": "~1.11.0 || ~2.1.0"

and have it pull in 1.11 if there is no jQuery currently installed. For users who already have jQuery v2 installed, they (rightfully) wouldn't get asked for resolutions.

With this change, you could change the precedence of the install by swapping it to be:

"jquery": "~2.1.0 || ~1.11.0"

What do y'all think?

Hey,

Is the following behavior intentional?

> SemVer.satisfies("1.0.0-rc1", ">= 1.0.0")
false
> SemVer.satisfies("1.0.0-rc1", ">= 1.0")
true

Happens with SemVer v2.2.1.

So... yes, I'm just venting.

Semantic versioning is great. It allows systems to find the right versions and express dependencies in a consistent and safe way.

But.

It doesn't work with stupid humans. When you do a 1.0.0 or 2.0.0 release, people assume it's a big-fucking-deal even when it's not. I need to change hapi from 1.0.0 to 2.0.0 because we messed up a dependency and it requires a breaking change. But there are no new features, nothing to get excited about. No party.

If only there was one extra digit which had no semantic meaning other than "newer and a big-fucking-deal". So 1.1.0.0 to 1.2.0.0 is breaking changes but nothing exciting while 1.1.0.0 to 2.1.0.0 is FUCKYEAHWEROCKWITHNEWSHINYSHITANDTSHIRTS.

Thanks for listening. You can close this now.

add a way to order an unordered list of versions
Example:
[1.0.2, 1.3.2, 1.1.1, 1.0.1] -> [1.0.1, 1.0.2, 1.1.1, 1.3.2]

I'm guessing this has already been brought up in the past, but I couldn't find this discussion on the web. I'm sorry if this is a recurring question.

In my understanding of semver v2, it should be safe (and desirable, I think) to install packages of greater Minor versions than the minimal one with which the package was originally implemented, because Minor bumps should be backwards-compatible.

Desirability comes from the idea that if I implement something that depends on module [email protected] at one point, and abc evolves a lot and reaches version 1.9.9, version 1.9.9 is likely to have improvements over 1.2.3 funcionality that were not introduced as 1.2 bugfixes.

It takes a very diligent maintainer to fix a bug of 1.2 functionality on version 1.9.x and create a 1.2 bugfix for it. In fact, he would need to create one bugfix for each Minor version in the 1.2~1.9 range, or at least for each tag in that range. Normally, they just tell you to update the package if you encounter problems, which is fine, but currently that's only automatically done by npm in bugfix increments, since people are instructed to use 1.2.x notation.

Even though Minor bumps mostly introduce new functionality, they may also introduce bugfixes that I would like npm to install for me without requiring me to update my package.json.

Thoughts?

When I am working on a feature branch, I set the semver to be a pre-release of what version the code will be at when the branch is merged into master. (So if I'm starting at 6.0.0 and adding a feature, I set the semver to be 6.1.0-0 and increment the build tag as necessary.) When I point other dependents to use this branch to test it out, I want a semver that says 'use this version or any pre-releases thereof'. Would it be possible to get some shorthand for that case?

I just started using ^ but am now completely stripping out ^ everywhere because the special case with 0.x makes it extremely counter-intuitive behavior, especially where swapping ~ for ^ is concerned.

I just went through a package.json recently and was pulling my hair out trying to figure out why "duplexer2": "^0.0.1" wasn't installing 0.0.2 until I found #41.

We currently have no way of tersely describing "up to the next major release" without special cases for 0.x. As it stands I'm not going to be using ^ anymore anywhere.

If maxSatisfying fails it returns undefined, not null.

So the README.md should corrected. There is written:

maxSatisfying(versions, range): Return the highest version in the list
that satisfies the range, or null if none of them do.

This will probably get closed, but I'm going to open it anyway. I know the semver spec states that a version must have a X.Y.Z, but it would be great if this library supported more sanity than the spec. When I started working with this library, I assumed the two lines below would return true. Boy was I wrong.

semver.gt('1.2.1', '1.2')    <--- false
semver.gt('1.2.1', '1.2.0')  <--- true

The toString method on the SemVer class returns this.value, which never gets set.

Laughing as I type this, sorry if you're offended by the title. On the serious side gte and lte functions would be really helpful. It seems like you have the machinery for it in the internal compare function.

Want to patch; just no time w/ NodeConf. Will try in May if you don't have time.

I'm trying to use node-semver in the browser using Bower and RequireJS. I've installed it using 'bower install isaacs/node-semver' and that works fine, but because I then want to use it in the browser (using RequireJS which provides an AMD environment) I need semver.browser.js.

Right now, I don't have any kind of "build process", and I'd rather not add one unless I have to ;-)

Other libraries handle this by committing their built artifacts (something which I'd abhor if they were binaries - e.g. JARs). For example, https://github.com/twbs/bootstrap/tree/master/dist. So when you install bootstrap using Bower, you simply serve the JS/CSS/etc. from .../bower_components/bootstrap/dist.

Would it be possible for you to commit semver.browser.js as part of your build/release process?

Compare with https://www.npmjs.org/doc/json.html#dependencies :

• "" (just an empty string) Same as *