Deprecated version being used in the rewrite
AllanJard opened this issue · comments
Description
Consider https://unpkg.com/datatables.net-bs5@1.13.6/js/dataTables.bootstrap5.mjs which when run through jsdelivr is rewritten with
import e from"/npm/datatables.net@2.1.1/+esm"
Unfortunately, the 2.1.1 version due to a mistaken tag years ago. It is marked as deprecated by NPM and therefore should not be used. I presume what is happening is that you are just getting the full list of all versions of the target package and using the latest, without considering the deprecated flag.
Affected jsDelivr links
https://cdn.jsdelivr.net/npm/datatables.net-bs5@1.13.6/+esm
Response headers
HTTP/2 200
access-control-allow-origin: *
access-control-expose-headers: *
timing-allow-origin: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
cross-origin-resource-policy: cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-type: application/javascript; charset=utf-8
x-jsd-version: 1.13.6
x-jsd-version-type: version
link: </npm/jquery@3.7.1/+esm>; rel="modulepreload"; nopush, </npm/datatables.net@2.1.1/+esm>; rel="modulepreload"; nopush
etag: W/"955-WjJl5Z1MmKbB0LvnjY+5No10ja4"
accept-ranges: bytes
date: Thu, 26 Oct 2023 14:08:36 GMT
age: 5046
x-served-by: cache-fra-etou8220050-FRA, cache-lon4222-LON
x-cache: HIT, MISS
vary: Accept-Encoding
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 2389
Information
- Device OS: Linux - OpenSUSE tumbleweed
- Browser & Version: Firefox 110.0.1
- VPN provider: N/A
- Your location: UK
Requisites
- I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
- I checked the documentation to understand that the issue I am reporting is not normal behavior.
- I understand that not filling out this template correctly will lead to the issue being closed.
Additional content
The issue is with the rewriting, not the delivery
Hey, I looked into this briefly, and I can see the npm cli itself does seem to ignore the deprecated version, but I'm not actually sure why - I couldn't find any resource or reference in their code so far that would suggest this should actually be the case. As a short-term solution, I'd certainly suggest using a more restrictive range.
Thanks for looking into this! Is any of the code you use for deriving versions open source, so I might be able to take a look and see if I can contribute a patch? I've started rolling out more restrictive, but it isn't going to cure all combinations unfortunately.
This part is not OSS unfortunately but I've actually found the details of npm's implementation recently: https://github.com/npm/cli/blob/88ece8161021997cb5c22040b34d0dffff55fcf1/node_modules/npm-pick-manifest/lib/index.js#L174-L180
I think we'll be able to adjust our behavior to match npm's shortly.
Awesome - many thanks!
Fixed! https://cdn.jsdelivr.net/npm/datatables.net-bs5@1.13.6/+esm now loads the correct version.
Amazing - thank you for implementing that change, and so quickly!
Wow, this is fantastic! Thank you!