Npm packages pre-release versions

INFO

This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here

Context

A pre-release package version is a version followed by a hyphen and an alphanumeric string.

Imagine the following scenario:

An imaginary package is marked as insecure with version 1.8.7
The issue is fixed with 2.0.0
We use version 1.9.0-alpha1
Any pre-release package version like 1.9.0-alpha1 is interpreted as <0.0.0 by npm

Why is this problematic?

The insecurity introduced with version 1.8.7 would never get reported to us by npm, unless we switch to a none pre-release version.

Decision

Using pre-release package versions is prohibited. This will be checked via a npm preinstall script.

Consequences

Bug fix releases only available as a preview in a pre-release package can't be used.

Catalog

Checkout

Content

Architecture

Community Setups

Plugins

Plugin fundamentals

Checkout

Cart

Document

Order

Payment

Content

CMS

Mail

Media

SEO

Sitemap

Stock

Elasticsearch

Framework

Data Handling / DataAbstractionLayer

Custom Fields

Event

Message Queue

Rule

Store API

Filesystem

Flow

Rate Limiter

System Checks

Administration

Storefront

Testing

API

Themes

Apps

App Starter Guides

App SDKs

Official JavaScript SDK

Official PHP SDK

App Scripts

Storefront

Administration

Flow Builder

Custom Data

Content

CMS

Rule Builder

Gateways

Checkout

Installation & Updates

Deployments

Configurations

Shopware

Framework

Observability

Performance

Infrastructure

Elasticsearch

General Concepts

Migration Assistant

Concept

Guides

B2B Suite

Concepts

Guides

Core

Storefront

B2B Components

Employee Management

Concepts

Guides

Quotes Management

Concepts

Guides

Shopping lists

Concepts

Guides

Order Approval

Npm packages pre-release versions

Context

Decision

Consequences