[BUG] wrong results on semver.npmjs.com

[phryneas]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

This is not a bug with the semver package, but with https://semver.npmjs.com/

I couldn't find any better place to report this, so I hope I'm right here or the maintainers know where I can report this correctly.

Currently, if you go to https://semver.npmjs.com/ and search for ^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0, it misses all React 19 RCs in the results.

Expected Behavior

Irritatingly, when removing ^18.0.0 from that list, it gives a result that seems correct

Steps To Reproduce

go to https://semver.npmjs.com/ and search for ^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0

Environment

Firefox

[wraithgar]

This is a subtle one. npm itself includes the latest tag when choosing a version from a range to determine what version to install.

If today you were to set your dependencies like this:

npm pkg set dependencies.react="^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0"

And then ran npm install you would get 18.3.1 in your tree, because that is what is tagged as latest currently. If the latest version is in the acceptable range, it is always used.

$ npm view react dist-tags.latest
18.3.1

The website is showing you all the versions npm would consider given that range. I'm not sure this is the right thing to do, especially as there is no indication on the page that it is taking that into consideration, nor is it trying to tell you what npm would install. npm also includes other things like engines and os to determine what versions it can install, and this page doesn't take any of that into consideration.

We'll leave this open to track what to do here. As of now at least you know why it's doing this.

[ljharb]

Since the latest tag is mutable, i think the current behavior is ideal but perhaps it could use a sentence or two of prose explanation.

[phryneas]

In our case it would be a peerDependency - is it safe to assume that if the user would specify a React 19 RC as a direct dependency while installing our package, npm/semver would honor that and not install react@latest on top?

[wraithgar]

Yes I believe that's what would happen. The latest is picked in the absence of an extant version in the tree. If the extant version satisfies the semver range it is kept, regadless of the latest tag. To put it another way, this logic that looks for latest is only employed when there is not a version of the package already in the tree.

(This example assumes install-links is set to true)

~/D/s/p/sub $ npm pkg set peerDependencies.react="^16.8.0 || ^17.0.0 || ^18.0.0 || >=19.0.0-rc <19.0.0"
~/D/s/p/sub $ cd ..
~/D/s/peerdeps $ npm i ./sub --install-links=true

added 4 packages, and audited 5 packages in 1s

found 0 vulnerabilities
~/D/s/peerdeps $ npm ls react
@gar/peer-deps-test@1.0.0 /Users/wraithgar/Development/scratch/peerdeps
└─┬ @gar/sub-dep-test@1.0.0
  └── react@18.3.1

~/D/s/peerdeps $ npm pkg set dependencies.react="^19.0.0-rc"
~/D/s/peerdeps $ npm i

removed 2 packages, changed 1 package, and audited 3 packages in 784ms

found 0 vulnerabilities
~/D/s/peerdeps $ npm ls react
@gar/peer-deps-test@1.0.0 /Users/wraithgar/Development/scratch/peerdeps
├─┬ @gar/sub-dep-test@1.0.0
│ └── react@19.0.0-rc-fb9a90fa48-20240614 deduped
└── react@19.0.0-rc-fb9a90fa48-20240614

[phryneas]

Okay, that helps a lot - thank you :)