node-semver icon indicating copy to clipboard operation
node-semver copied to clipboard
verified publisher icon npm

[BUG] limit version prefix to optional `v`

Open mbtools opened this issue 1 year ago • 4 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

The following "ranges" are currently considered valid: > v=1.2.3, > vvv1.2.3, > v==1.2.3, > v=vv==v1.x

The validation is not strict enough and allows =, v=, and nonsensical prefixes as well.

Expected Behavior

With next major semver, the version prefix should be limited to a single, optional v. Other prefixes shall not be permitted anymore.

Suggested change:

// createToken('LOOSEPLAIN', `[v=\\s]*${src[t.MAINVERSIONLOOSE] // old
createToken('LOOSEPLAIN', `v?\\s*${src[t.MAINVERSIONLOOSE] // new

// createToken('XRANGEPLAIN', `[v=\\s]*(${src[t.XRANGEIDENTIFIER]})` +  // old
createToken('XRANGEPLAIN', `v?(${src[t.XRANGEIDENTIFIER]})` +// new

// createToken('XRANGEPLAINLOOSE', `[v=\\s]*(${src[t.XRANGEIDENTIFIERLOOSE]})` + // old
createToken('XRANGEPLAINLOOSE', `v?\\s*(${src[t.XRANGEIDENTIFIERLOOSE]})` + // new

Steps To Reproduce

validRange('> v=1.2.3')

Environment

  • node-semver: 7.6.0

mbtools avatar Mar 20 '24 16:03 mbtools

Added this to https://github.com/npm/node-semver/issues/501

wraithgar avatar Mar 20 '24 16:03 wraithgar

I have done some analysis of all versions, dependencies and engine ranges used in the top 5200 npm package.json files:

Type of Range Count
^ 52049
semver 14049
>= 2934
~ 1979
|| 841
* 730
x 502
major 348
= 162
"latest" 154
npm: 101
git: 69
- 60
file: 44
> 25
major.minor 24
"next" 15
http/s: 12
link: 7
portal: 3
< 3
. 3
v1.1.0 1
./ 1
workspace: 1
v1.13.4 1
Grand Total 74118

The use of v or v= prefixes is extremely rare. It's only 2 cases (which could be tags and valid).

~I would suggest to put up a deprecation notice of these semver v1 notations and then completely stick to semver v2 (i.e. no prefixes, not even a v) with the next major.~

mbtools avatar Mar 22 '24 20:03 mbtools

why even bother removing the v? there's nothing conceptually wrong with it; npm doesn't comply with semver v2 anyways; and https://semver.org/#is-v123-a-semantic-version supports its use as an optional prefix.

ljharb avatar Mar 22 '24 20:03 ljharb

Agree. Removing v won't make a difference. Stats are interesting nevertheless 😃

mbtools avatar Mar 27 '24 08:03 mbtools