Deprecated version being used in the rewrite

Question

Deprecated version being used in the rewrite

AllanJard opened this issue 9 months ago · comments

Description

Consider https://unpkg.com/datatables.net-bs5@1.13.6/js/dataTables.bootstrap5.mjs which when run through jsdelivr is rewritten with

import e from"/npm/datatables.net@2.1.1/+esm"

Unfortunately, the 2.1.1 version due to a mistaken tag years ago. It is marked as deprecated by NPM and therefore should not be used. I presume what is happening is that you are just getting the full list of all versions of the target package and using the latest, without considering the deprecated flag.

Affected jsDelivr links

https://cdn.jsdelivr.net/npm/datatables.net-bs5@1.13.6/+esm

Response headers

HTTP/2 200
access-control-allow-origin: *
access-control-expose-headers: *
timing-allow-origin: *
cache-control: public, max-age=31536000, s-maxage=31536000, immutable
cross-origin-resource-policy: cross-origin
x-content-type-options: nosniff
strict-transport-security: max-age=31536000; includeSubDomains; preload
content-type: application/javascript; charset=utf-8
x-jsd-version: 1.13.6
x-jsd-version-type: version
link: </npm/jquery@3.7.1/+esm>; rel="modulepreload"; nopush, </npm/datatables.net@2.1.1/+esm>; rel="modulepreload"; nopush
etag: W/"955-WjJl5Z1MmKbB0LvnjY+5No10ja4"
accept-ranges: bytes
date: Thu, 26 Oct 2023 14:08:36 GMT
age: 5046
x-served-by: cache-fra-etou8220050-FRA, cache-lon4222-LON
x-cache: HIT, MISS
vary: Accept-Encoding
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
content-length: 2389

Information

Device OS: Linux - OpenSUSE tumbleweed
Browser & Version: Firefox 110.0.1
VPN provider: N/A
Your location: UK

Requisites

I performed a cursory search of the issue tracker to avoid opening a duplicate issue.
I checked the documentation to understand that the issue I am reporting is not normal behavior.
I understand that not filling out this template correctly will lead to the issue being closed.

Additional content

The issue is with the rewriting, not the delivery

Martin Kolárik · Answer 1 · Fri Oct 27 2023 22:09:46 GMT+0800 (China Standard Time)

Hey, I looked into this briefly, and I can see the npm cli itself does seem to ignore the deprecated version, but I'm not actually sure why - I couldn't find any resource or reference in their code so far that would suggest this should actually be the case. As a short-term solution, I'd certainly suggest using a more restrictive range.

Allan Jardine · Answer 2 · Fri Nov 03 2023 23:02:49 GMT+0800 (China Standard Time)

Thanks for looking into this! Is any of the code you use for deriving versions open source, so I might be able to take a look and see if I can contribute a patch? I've started rolling out more restrictive, but it isn't going to cure all combinations unfortunately.

Martin Kolárik · Answer 3 · Fri Nov 03 2023 23:12:32 GMT+0800 (China Standard Time)

This part is not OSS unfortunately but I've actually found the details of npm's implementation recently: https://github.com/npm/cli/blob/88ece8161021997cb5c22040b34d0dffff55fcf1/node_modules/npm-pick-manifest/lib/index.js#L174-L180

I think we'll be able to adjust our behavior to match npm's shortly.

Allan Jardine · Answer 4 · Fri Nov 03 2023 23:20:52 GMT+0800 (China Standard Time)

Awesome - many thanks!

Martin Kolárik · Answer 5 · Sat Nov 04 2023 21:44:23 GMT+0800 (China Standard Time)

Fixed! https://cdn.jsdelivr.net/npm/datatables.net-bs5@1.13.6/+esm now loads the correct version.

Allan Jardine · Answer 6 · Mon Nov 06 2023 18:39:00 GMT+0800 (China Standard Time)

Amazing - thank you for implementing that change, and so quickly!

Ryan Weaver · Answer 7 · Tue Nov 07 2023 03:59:06 GMT+0800 (China Standard Time)

Wow, this is fantastic! Thank you!