Dependency postman-request with odd versioning causes issues with npm's before #268
Description
Hi,
node-vault has a dependency on postman-request, this has been a prerelease version for years.
The dependency is using ^2.88.1-postman.42 , but which version is picked by npm is a bit unexpected, since they are all share the same version just with different pre-release labels it appears to be sorting the labels in a certain way.
We're using this via a whitelisting mechanism using npm's before argument. And it seems that causes it to use the first pre-release version of this package, which is 7 years old, but appears to have been republished recently: https://www.npmjs.com/package/postman-request/v/2.88.1-postman.8-beta.1
We can't do much about postman-requests versioning strategy, but a fix for us would be to use a fixed version in the package.json:
Line 29 in 47e6595
So to just remove the
^ in the version string.
Here is what happends with with version resolving
PS C:\dev\npm-test-05> npm --version
11.6.2
PS C:\dev\npm-test-05> npm install @usebruno/cli@2.* --audit=false --fund=false --registry https://registry.npmjs.org --before=2025-10-29
npm warn deprecated har-validator@5.1.5: this library is no longer supported
npm warn deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
added 444 packages in 20s
PS C:\dev\npm-test-05> npm explain postman-request
postman-request@2.88.1-postman.8-beta.1
node_modules/postman-request
postman-request@"^2.88.1-postman.42" from node-vault@0.10.9
node_modules/node-vault
node-vault@"^0.10.2" from @usebruno/js@0.40.0
node_modules/@usebruno/js
@usebruno/js@"0.40.0" from @usebruno/cli@2.13.2
node_modules/@usebruno/cli
@usebruno/cli@"^2.13.2" from the root project