node_runtime: Respect npm release-age filters for managed npm installs#56957
Merged
Conversation
maxdeviant
approved these changes
May 18, 2026
TomPlanche
pushed a commit
to TomPlanche/zed
that referenced
this pull request
May 20, 2026
zed-industries#56957) Zed-managed npm installers were resolving a concrete latest version with `npm info` and then installing `package@version`. That is brittle when users configure npm release-age filtering via `before` or `min-release-age`: npm's installer applies those rules during resolution, but our pinned install target could disagree with it, and therefore fail to install. This changes managed npm installs to install `package@latest` and let npm apply its own resolver and user config. The local latest-version lookup remains as a best-effort cache freshness check, not as the exact install target. Exact extension API installs remain unchanged because extensions explicitly request a package and version. If we want to revisit that we can. Self-Review Checklist: - [x] I've reviewed my own diff for quality, security, and reliability - [x] Unsafe blocks (if any) have justifying comments - [x] The content is consistent with the [UI/UX checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) - [x] Tests cover the new/changed behavior - [x] Performance impact has been considered and is acceptable Closes zed-industries#53611 Release Notes: - Fixed npm-backed tool installs to better respect npm release-age filters.
Member
Author
|
/cherry-pick stable |
5 tasks
zed-zippy Bot
added a commit
that referenced
this pull request
May 21, 2026
#56957) (cherry-pick to stable) (#57439) Cherry-pick of #56957 to stable ---- Zed-managed npm installers were resolving a concrete latest version with `npm info` and then installing `package@version`. That is brittle when users configure npm release-age filtering via `before` or `min-release-age`: npm's installer applies those rules during resolution, but our pinned install target could disagree with it, and therefore fail to install. This changes managed npm installs to install `package@latest` and let npm apply its own resolver and user config. The local latest-version lookup remains as a best-effort cache freshness check, not as the exact install target. Exact extension API installs remain unchanged because extensions explicitly request a package and version. If we want to revisit that we can. Self-Review Checklist: - [x] I've reviewed my own diff for quality, security, and reliability - [x] Unsafe blocks (if any) have justifying comments - [x] The content is consistent with the [UI/UX checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) - [x] Tests cover the new/changed behavior - [x] Performance impact has been considered and is acceptable Closes #53611 Release Notes: - Fixed npm-backed tool installs to better respect npm release-age filters. Co-authored-by: Ben Brandt <benjamin.j.brandt@gmail.com>
This was referenced May 22, 2026
TomPlanche
pushed a commit
to TomPlanche/zed
that referenced
this pull request
Jun 2, 2026
zed-industries#56957) Zed-managed npm installers were resolving a concrete latest version with `npm info` and then installing `package@version`. That is brittle when users configure npm release-age filtering via `before` or `min-release-age`: npm's installer applies those rules during resolution, but our pinned install target could disagree with it, and therefore fail to install. This changes managed npm installs to install `package@latest` and let npm apply its own resolver and user config. The local latest-version lookup remains as a best-effort cache freshness check, not as the exact install target. Exact extension API installs remain unchanged because extensions explicitly request a package and version. If we want to revisit that we can. Self-Review Checklist: - [x] I've reviewed my own diff for quality, security, and reliability - [x] Unsafe blocks (if any) have justifying comments - [x] The content is consistent with the [UI/UX checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist) - [x] Tests cover the new/changed behavior - [x] Performance impact has been considered and is acceptable Closes zed-industries#53611 Release Notes: - Fixed npm-backed tool installs to better respect npm release-age filters.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Zed-managed npm installers were resolving a concrete latest version with
npm infoand then installingpackage@version. That is brittle when usersconfigure npm release-age filtering via
beforeormin-release-age: npm'sinstaller applies those rules during resolution, but our pinned install target
could disagree with it, and therefore fail to install.
This changes managed npm installs to install
package@latestand let npm applyits own resolver and user config. The local latest-version lookup remains as a
best-effort cache freshness check, not as the exact install target.
Exact extension API installs remain unchanged because extensions explicitly
request a package and version. If we want to revisit that we can.
Self-Review Checklist:
Closes #53611
Release Notes: