Skip to content

2023-16-01 - Npm packages pre-release versions

2023-16-01 - Npm packages pre-release versions

INFO

This document represents an architecture decision record (ADR) and has been mirrored from the ADR section in our Shopware 6 repository. You can find the original version here

Context

A pre-release package version is a version followed by a hyphen and an alphanumeric string.

Imagine the following scenario:

  • An imaginary package is marked as insecure with version 1.8.7
  • The issue is fixed with 2.0.0
  • We use version 1.9.0-alpha1
  • Any pre-release package version like 1.9.0-alpha1 is interpreted as <0.0.0 by npm

Why is this problematic?

The insecurity introduced with version 1.8.7 would never get reported to us by npm, unless we switch to a none pre-release version.

Decision

Using pre-release package versions is prohibited. This will be checked via a npm preinstall script.

Consequences

Bug fix releases only available as a preview in a pre-release package can't be used.