npm-pick-manifest
is a standalone
implementation of npm's semver range resolution algorithm.
$ npm install --save npm-pick-manifest
const pickManifest = require('npm-pick-manifest')
fetch('https://registry.npmjs.org/npm-pick-manifest').then(res => {
return res.json()
}).then(packument => {
return pickManifest(packument, '^1.0.0')
}) // get same manifest as npm would get if you `npm i npm-pick-manifest@^1.0.0`
- Uses npm's exact semver resolution algorithm.
- Supports ranges, tags, and versions.
- Prefers non-deprecated versions to deprecated versions.
- Prefers versions whose
engines
requirements are satisfied over those that will raise a warning or error at install time.
Returns the manifest that best matches selector
, or throws an error.
Packuments are anything returned by metadata URLs from the npm registry. That
is, they're objects with the following shape (only fields used by
npm-pick-manifest
included):
{
name: 'some-package',
'dist-tags': {
foo: '1.0.1'
},
versions: {
'1.0.0': { version: '1.0.0' },
'1.0.1': { version: '1.0.1' },
'1.0.2': { version: '1.0.2' },
'2.0.0': { version: '2.0.0' }
}
}
The algorithm will follow npm's algorithm for semver resolution, and only
tag
, range
, and version
selectors are supported.
The function will throw ETARGET
if there was no matching manifest, and
ENOVERSIONS
if the packument object has no valid versions in versions
.
If the only matching manifest is included in a policyRestrictions
section
of the packument, then an E403
is raised.
All options are optional.
includeStaged
- Boolean, defaultfalse
. Include manifests in thestagedVersions.versions
set, to support installing staged packages when appropriate. Note that staged packages are always treated as lower priority than actual publishes, even whenincludeStaged
is set.defaultTag
- String, default'latest'
. The defaultdist-tag
to install when no specifier is provided. Note that the version indicated by this specifier will be given top priority if it matches a supplied semver range.before
- String, Date, or Number, defaultnull
. This is passed tonew Date()
, so anything that works there will be valid. Do not consider any manifests that were published after the date indicated. Note that this is only relevant when the packument includes atime
field listing the publish date of all the packages.nodeVersion
- String, defaultprocess.version
. The Node.js version to use when checking manifests forengines
requirement satisfaction.npmVersion
- String, defaultnull
. The npm version to use when checking manifest forengines
requirement satisfaction. (Ifnull
, then this particular check is skipped.)avoid
- String, defaultnull
. A SemVer range of versions that should be avoided. An avoided version MAY be selected if there is no other option, so when using this for version selection ensure that you check the result against the range to see if there was no alternative available.avoidStrict
Boolean, defaultfalse
. If set to true, thenpickManifest
will never return a version in theavoid
range. If the only available version in thewanted
range is a version that should be avoided, then it will return a version outside thewanted
range, preferring to do so without making a SemVer-major jump, if possible. If there are no versions outside theavoid
range, then throw anETARGET
error. It does this by calling pickManifest first with thewanted
range, then with a^
affixed to the version returned by thewanted
range, and then with a*
version range, and throwing if nothing could be found to satisfy the avoidance request.
Return value is the manifest as it exists in the packument, possibly decorated with the following boolean flags:
_shouldAvoid
The version is in theavoid
range. Watch out!_outsideDependencyRange
The version is outside thewanted
range, becauseavoidStrict: true
was set._isSemVerMajor
The_outsideDependencyRange
result is a SemVer-major step up from the version returned by thewanted
range.
- Create list of all versions in
versions
,policyRestrictions.versions
, and (ifincludeStaged
is set)stagedVersions.versions
. - If a
dist-tag
is requested,- If the manifest is not after the specified
before
date, then select that from the set. - If the manifest is after the specified
before
date, then re-start the selection looking for the highest SemVer range that is equal to or less than thedist-tag
target.
- If the manifest is not after the specified
- If a specific version is requested,
- If the manifest is not after the specified
before
date, then select the specified manifest. - If the manifest is after the specified
before
date, then raiseETARGET
error. (NB: this is a breaking change from v5, where a specified version would override thebefore
setting.)
- If the manifest is not after the specified
- (At this point we know a range is requested.)
- If the
defaultTag
refers to adist-tag
that satisfies the range (or if the range is'*'
or''
), and the manifest is published before thebefore
setting, then select that manifest. - If nothing is yet selected, sort by the following heuristics in order,
and select the top item:
- Prioritize versions that are not in the
avoid
range over those that are. - Prioritize versions that are not in
policyRestrictions
over those that are. - Prioritize published versions over staged versions.
- Prioritize versions that are not deprecated, and which have a satisfied engines requirement, over those that are either deprecated or have an engines mismatch.
- Prioritize versions that have a satisfied engines requirement over those that do not.
- Prioritize versions that are not are not deprecated (but have a mismatched engines requirement) over those that are deprecated.
- Prioritize higher SemVer precedence over lower SemVer precedence.
- Prioritize versions that are not in the
- If no manifest was selected, raise an
ETARGET
error. - If the selected item is in the
policyRestrictions.versions
list, raise anE403
error. - Return the selected manifest.