Check validity of version before making fake pkg #18852
Conversation
Cheking the version against semver here ensures that a fake pkg with URL/path data in its version field doesn’t get created (if that happens, then that will propagate down into the version field of any refreshed package.json, overwriting whatever version should actually be there)
|
This would disable fake children for git urls and http tarball urls… which ok, we can do as an interum measure, though I'd like to restore it. I'm a bit confused as to how this is related to #17858, however and maybe I just missed that discussion? The bug reported in #17858 involves unbuild being called on a package entry where |
|
Also, I encourage you to drop by the https://package.community/ discord server and we can chat real time about this, 'cause I'd like to get this out. =) |
|
I'll jump in there as soon as I can. Mostly, I've been looking at making minimally invasive changes on principle, but I'm 100% prepared to believe this one really wants something more sophisticated. |
|
Proper fix was in refresh-package-json.js |
Cheking the version against semver here ensures that a fake pkg with URL/path data in its version field doesn’t get created (if that happens, then that will propagate down into the version field of any refreshed package.json, overwriting whatever version should actually be there)
This resolves #17858 without violating the spec for package-lock.json (mea culpa!)