Skip to content

2023-16-01 - Npm packages pre-release versions

You are viewing an outdated version of the documentation.
Click here to switch to the stable version (v6.6), or use the version switcher on the left to navigate between versions.

2023-16-01 - Npm packages pre-release versions

INFO

This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here

Context

A pre-release package version is a version followed by a hyphen and an alphanumeric string.

Imagine the following scenario:

  • An imaginary package is marked as insecure with version 1.8.7
  • The issue is fixed with 2.0.0
  • We use version 1.9.0-alpha1
  • Any pre-release package version like 1.9.0-alpha1 is interpreted as <0.0.0 by npm

Why is this problematic?

The insecurity introduced with version 1.8.7 would never get reported to us by npm, unless we switch to a none pre-release version.

Decision

Using pre-release package versions is prohibited. This will be checked via a npm preinstall script.

Consequences

Bug fix releases only available as a preview in a pre-release package can't be used.