Rolldown dependency is always latest

[bluwy]

Reproduction link or steps

1. Clone https://github.com/vitejs/vite
2. Run pnpm i
3. Notice that the lockfile updates itself due to tsdown's dependency on rolldown

What is expected?

The lockfile does not update itself

What is actually happening?

The lockfile is updated because tsdown depends on rolldown via latest instead of a semver ^1.0.0-beta.X, causing the installation to always pull in the latest rolldown and updates the lockfile when there's a new version of rolldown.

I don't know if this is possibly a bug in pnpm where it should always reuse the locked version, but it might be better to use a strict range in the library instead.

Any additional comments?

This seem to happen since 8ae720a. On npm, you can also see that package.json dependencies has "rolldown": "latest"

[sxzz]

This issue cannot be resolved before Rolldown releases an official version: we are unable to restrict pre-releases using semver. In Yarn, specifying ^1.0.0-beta.30 will always install 1.0.0-beta.9, because version comparison is done based on ASCII values.

[bluwy]

In Yarn, specifying ^1.0.0-beta.30 will always install 1.0.0-beta.9, because version comparison is done based on ASCII values.

That's strange. Following https://semver.npmjs.com, that should never happen though so it seems more like a yarn bug to me. Do you know if there's a yarn issue to follow?

[sxzz]

See https://x.com/sanxiaozhizi/status/1954917986344788299

[bluwy]

Thanks, that's interesting. I'm still inclined though that the constraint check in yarn and https://jubianchi.github.io/semver-check/#/^1.0.0-beta.30/1.0.0-beta.9 are incorrect, and https://semver.npmjs.com should be trusted instead since we're dealing with the npm ecosystem.

It would be nice to use a stricter ^ range like before to fix the issue, but that's my opinion.

[sxzz]

Since I don't use Yarn, I haven't looked into the reasons behind this behavior or any related issues.

[mrginglymus]

I just tested this and yarn add -D rolldown@^1.0.0-beta.30 installs 1.0.0-beta.9-commit.d91dfb5

This is correct according to semver, as the post-beta segment of my request is 30, but the installed package segment is 9-commit.

semver says that

Numeric identifiers always have lower precedence than non-numeric identifiers.

Should the beta perhaps have been published as 1.0.0-beta.9+commit.d91dfb5

[bluwy]

FWIW I checked the npm source code and the logic that picks 1.0.0-beta.30 (whichever latest) instead seems to be coming from here. For pnpm, I think it's here (tricky to test so just reading the code).

I've added a comment to the rolldown issue if they're willing to unpublished the -commit versions to resolve this. Otherwise, I can report the install issue to pnpm instead as it doesn't happen with npm.

[mrginglymus]

Oh my, what is happening there - parsing semver loose. I wonder what the grammer for 'loose' semver is...and why it's even necessary? Is it to parse partial semvers? Either way, it's evidently being used incorrectly if npm is not pulling .beta.9-commit instead of .beta.30

Perhaps this is a semver bug - one would imagine that given a valid semver string, the loose parse should be identical to the strict parse.

edit: nope, even with loose parsing semver correctly interprets .beta.9-commit.

[sxzz]

I wonder if deprecating the -commit version would resolve the issue. Unpublishing might be risky for the Rolldown team.