2023-16-01 - Npm packages pre-release versions

INFO

This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here

Context

A pre-release package version is a version followed by a hyphen and an alphanumeric string.

Imagine the following scenario:

An imaginary package is marked as insecure with version 1.8.7
The issue is fixed with 2.0.0
We use version 1.9.0-alpha1
Any pre-release package version like 1.9.0-alpha1 is interpreted as <0.0.0 by npm

Why is this problematic?

The insecurity introduced with version 1.8.7 would never get reported to us by npm, unless we switch to a none pre-release version.

Decision

Using pre-release package versions is prohibited. This will be checked via a npm preinstall script.

Consequences

Bug fix releases only available as a preview in a pre-release package can't be used.

Catalog

Checkout

Content

Architecture

Infrastructure

Elasticsearch

Installation & Updates

Deployments

Performance

Legacy Setups

Community Setups

General Concepts

Apps

Administration

Custom Data

Flow Builder

Hosting Guide

Local development

Rule Builder

App Starter Guides

Storefront

App Scripts

Content

CMS

Themes

Plugins

Administration

API

Checkout

Cart

Document

Order

Payment

Content

CMS

Mail

Media

SEO

Sitemap

Elasticsearch

Framework

Custom Fields

Data Handling / DataAbstractionLayer

Event

Filesystem

Flow

Message Queue

Rate Limiter

Rule

Store API

Storefront

Testing

Plugin fundamentals

Migration Assistant

Concept

Guides

Advanced Search

B2B Suite

Concepts

Guides

Storefront

Core

Code

Document

Fonts & Formats

Test

Testing guidelines for extensions

Administration Reference

General

Admin

Flow builder

API

App

Cache

Checkout

Content-management

DAL

Deployment

Extension

Inventory

2023-16-01 - Npm packages pre-release versions

Context

Decision

Consequences