[BUG] install a git dependency by tag does not install correct version.

[Raynos]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I run npm install optoolco/tonic#v13.3.0 but instead v13.3.2 is installed.

The wrong version is installed.

Expected Behavior

Expected the right version to be installed ( v13.3.0 )

Steps To Reproduce

raynos at raynos-Precision-5530  
~/optoolco/async-level on master
$ npm -v
6.14.13
raynos at raynos-Precision-5530  
~/optoolco/async-level on master
$ npm i npm@7 -g
npm http fetch GET 304 https://registry.npmjs.org/npm 147ms (from cache)
npm http fetch GET 200 https://registry.npmjs.org/npm/-/npm-7.17.0.tgz 237ms
/home/raynos/projects/nvm/versions/node/v14.15.4/bin/npm -> /home/raynos/projects/nvm/versions/node/v14.15.4/lib/node_modules/npm/bin/npm-cli.js
/home/raynos/projects/nvm/versions/node/v14.15.4/bin/npx -> /home/raynos/projects/nvm/versions/node/v14.15.4/lib/node_modules/npm/bin/npx-cli.js
+ npm@7.17.0
added 62 packages from 25 contributors, removed 242 packages and updated 193 packages in 4.238s
raynos at raynos-Precision-5530  
~/optoolco/async-level on master
$ npm i optoolco/tonic#v13.3.2 -S
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 380ms
npm http fetch GET 200 https://codeload.github.com/optoolco/tonic/tar.gz/191fd38b3c3eaf6b419ce8f5f38fa4a26940cdaf 366ms (cache miss)
pm[         .........] / reify:@optoolco/tonic: http fetch GET 200 https://codeload.github.com/optool[         .........] / reify:@optoolco/tonic: http fetch GET 200 https://codeload.github.com/optoolc

added 1 package, and audited 13 packages in 16s

found 0 vulnerabilities
raynos at raynos-Precision-5530  
~/optoolco/async-level on master*
$ npm -v
7.17.0
raynos at raynos-Precision-5530  
~/optoolco/async-level on master*
$ cat node_modules/@optoolco/tonic/package.json | jq .version
"13.3.2"
raynos at raynos-Precision-5530  
~/optoolco/async-level on master*
$ npm i optoolco/tonic#v13.3.0 -S
npm http fetch POST 200 https://registry.npmjs.org/-/npm/v1/security/advisories/bulk 354ms

up to date, audited 13 packages in 2s

found 0 vulnerabilities
raynos at raynos-Precision-5530  
~/optoolco/async-level on master*
$ cat node_modules/@optoolco/tonic/package.json | jq .version
"13.3.2"

Environment

• OS: Ubuntu 18
• Node: 14.15.4
• npm: 7.17.0

[isaacs]

I can't reproduce this with an empty package.json. What else is in your package.json or package-lock.json?

[Raynos]

Hmm, let me see what I have in my situation.

I tried the following again in a fresh git clone / folder

cd /tmp/playground
$ git clone git@github.com:optoolco/async-level.git
$ npm i npm@7 -g
+ npm@7.17.0
npm i
 npm i optoolco/tonic#v13.3.2 -S
$ cat node_modules/@optoolco/tonic/package.json | jq .version
"13.3.2"
$ npm i optoolco/tonic#v13.3.0 -S
$ cat node_modules/@optoolco/tonic/package.json | jq .version
"13.3.2"

I copied the whole package-lock.json here https://gist.github.com/Raynos/f8b3f69bb79e9edf2c787e3198613aaf

The optoolco/async-level project is open source and it's package.json is here ( https://github.com/optoolco/async-level/blob/master/package.json )

[Raynos]

If I run the following command

First

npm i optoolco/tonic#v13.3.0
git add .
git commit -m 'wip'
# then
npm i optoolco/tonic#v13.3.1

Then I run git diff to see what npm changed in package.json & package lock and I see

$ git diff
diff --git a/package-lock.json b/package-lock.json
index 62b7350..11d3d36 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -7,7 +7,7 @@
     "": {
       "version": "3.0.1",
       "dependencies": {
-        "@optoolco/tonic": "github:optoolco/tonic#v13.3.0"
+        "@optoolco/tonic": "github:optoolco/tonic#v13.3.1"
       },
       "devDependencies": {
         "@pre-bundled/tape": "4.11.0",
@@ -209,7 +209,7 @@
   "dependencies": {
     "@optoolco/tonic": {
       "version": "git+ssh://git@github.com/optoolco/tonic.git#191fd38b3c3eaf6b419ce8f5f38fa4a26940cdaf",
-      "from": "@optoolco/tonic@optoolco/tonic#v13.3.0"
+      "from": "@optoolco/tonic@optoolco/tonic#v13.3.1"
     },
     "@pre-bundled/tape": {
       "version": "4.11.0",
diff --git a/package.json b/package.json
index bef270c..079be64 100644
--- a/package.json
+++ b/package.json
@@ -39,6 +39,6 @@
     "uuid": "3.3.3"
   },
   "dependencies": {
-    "@optoolco/tonic": "github:optoolco/tonic#v13.3.0"
+    "@optoolco/tonic": "github:optoolco/tonic#v13.3.1"
   }
 }

The version / commit sha did not change.

[isaacs]

I'm seeing the commit sha and version change. https://gist.github.com/isaacs/635b8b128d547a3c50abbe7a0e0238ba

What version of npm are you using?

What do npm ls @optoolco/tonic and npm explain @optool/tonic report?

[Raynos]

I ran the exact test.sh you published in the gist and it installed the correct version.

Must be something about the existing dependencies & package.json

[Raynos]

~/tmp/playground/async-level on wut*
$ npm ls @optoolco/tonic
async-level@3.0.1 /home/raynos/tmp/playground/async-level
└── @optoolco/tonic@13.3.2 (git+ssh://git@github.com/optoolco/tonic.git#191fd38b3c3eaf6b419ce8f5f38fa4a26940cdaf)

raynos at raynos-Precision-5530  
~/tmp/playground/async-level on wut*
$ npm explain @optool/tonic
npm ERR! No dependencies found matching @optool/tonic

[ruyadorno]

sorry, it looks like the npm explain example had a typo in the scope name, it should have been the same pkg name:

$ npm explain @optoolco/tonic

[Raynos]

I was able to make a reproduction ( https://gist.github.com/Raynos/7399316094c146368e6a09f84d2d7970 ).

I had to actually downgrade the version number from 13.3.2 => 13.3.1 to reproduce the bug. Doing the same steps from 13.3.0 => 13.3.1 did not reproduce the bug.

[Raynos]

$ npm explain @optoolco/tonic
@optoolco/tonic@13.3.2
node_modules/@optoolco/tonic
  @optoolco/tonic@"github:optoolco/tonic#v13.3.1" from the root project