Alpha versioning causes strange resolutions when using ^ versioning in package.json

[blimmer]

Issue workflow progress

Progress of the issue based on the
Contributor Workflow

• 1. The issue provides a reproduction available on GitHub, Stackblitz or CodeSandbox

  For example, you can start off by editng the
  'basic' example on Stackblitz.

  Please make sure the graphql-eslint version under package.json matches yours.

• 2. A failing test has been provided

• 3. A local solution has been provided

• 4. A pull request is pending review

---

Describe the bug

I lost quite a bit of time testing out eslint flat configs today because of the way alpha versions are defined. When using a "caret version", e.g., "@graphql-eslint/eslint-plugin": "^4.0.0-alpha.5", package managers resolve this to a much older version than expected.

See steps below for the exact version / examples.

To Reproduce Steps to reproduce the behavior:

cd /tmp
mkdir test-graphql-eslint && cd test-graphql-eslint
npm init -y
npm install @graphql-eslint/eslint-plugin@^4.0.0-alpha.5
npm ls @graphql-eslint/eslint-plugin

You'll see that this actually resolved to an alpha version released in 2023:

> npm ls @graphql-eslint/eslint-plugin
[email protected] /private/tmp/test-graphql-eslint
└── @graphql-eslint/[email protected]

> npm view @graphql-eslint/[email protected]
@graphql-eslint/[email protected] | MIT | deps: 8 | versions: 476
GraphQL plugin for ESLint
https://github.com/B2o5T/graphql-eslint#readme

keywords: eslint, eslintplugin, eslint-plugin, graphql

dist
.tarball: https://registry.npmjs.org/@graphql-eslint/eslint-plugin/-/eslint-plugin-4.0.0-alpha-20230810160036-304c2c0.tgz
.shasum: d8a777e168beb27567792b2fbb00f780741c7a43
.integrity: sha512-gGaGCUllC6tuean+7tuTQjfTNvDJDz12XcW/m88heb0SMQOmoFSKEiY9cVCI72HEEQdSGKX3J7c32/V/9AS/yA==
.unpackedSize: 759.5 kB

dependencies:
@graphql-tools/code-file-loader: ^7.3.6  fast-glob: ^3.2.12
@graphql-tools/graphql-tag-pluck: ^7.3.6 graphql-config: ^4.5.0
@graphql-tools/utils: ^9.0.0             graphql-depth-limit: ^1.1.0
debug: ^4.3.4                            lodash.lowercase: ^4.3.0

maintainers:
- ivolodin <[email protected]>
- dotansimha <[email protected]>

dist-tags:
alpha: 4.0.0-alpha.5  latest: 3.20.1

published a year ago by dotansimha <[email protected]>

You can also see this odd behavior on the NPM semver calculator page:

We can work around this issue by specifying the exact version in package.json (e.g., use 4.0.0-alpha.5 instead of ^4.0.0-alpha.5).

Expected behavior

The caret version should provide the most recent version in the series. So conceptually, ^4.0.0-alpha.5 should resolve to 4.0.0-alpha.5, 4.0.0-alpha.6, etc. It's very unexpected that it resolved to a tag from over one year ago.

Environment:

• OS: MacOS
• @graphql-eslint/eslint-plugin: 4.0.0-alpha.5
• Node.js: 20.18.0

Additional context

This behavior is the same with yarn@4 and npm.

[eMerzh]

I have the same issue,simply because 4.0.0-alpha-20230810160036-304c2c0 aren't really semver...

maybe we can un-publish it? or publish a beta? if it looks somewhat stable?