Description
What / Why
NPM 6.14.5 and 6.15.6 have a regression in handling of git tags.
How
Current Behavior
Under 6.14.4 if you add a package from a specific git tag, run install, then change the tag in package.json,
and run install again, the package gets updated.
Under 6.15.5
Steps to Reproduce
The following example use pacote, not because it is realistic, since all its tags are published versions,
but because I know it is publicly accessible, and it can still show off the problem.
- git init
- echo
- npm init
- npm i https://github.com/npm/pacote#v11.1.7
- git add .
- git commit -m 'test'
- edit package.json and change the tag to
#v11.1.8 - npm i
- git diff
Notice that the package and lock file were not updated if using 6.14.5 or 6.14.6.
Expected Behavior
Same as 6.14.4: Package and package-lock.json are updated, the same as if I changed the a normal version number to something incompatible with the version specified in package-lock.json.
References
I suspect the cause is a side effect of the change to the childDependencySpecifier call in PR #758:
33ec41f#diff-5081bd1aabac431eccfb75bfa08bde1bL573
If I recall correctly, the _from value was used to determine if the git branch specified in the package-lock.json actually matches what is specified in package.json. Not passing in that information breaks this check.