Skip to content

bug: dev build native binary tarball cannot be installed via npm install <url> #237

New issue
New issue
Closed
#241
Closed
bug: dev build native binary tarball cannot be installed via npm install <url>#237
#241
Labels
bugSomething isn't workingdogfoodFound during dogfooding
@carlos-alm

Description

@carlos-alm
carlos-alm
opened on Mar 2, 2026

Found during dogfooding v2.5.35-dev.26434e2

Severity: Medium
Command: npm install https://github.com/optave/codegraph/releases/download/dev-v2.5.35-dev.26434e2/optave-codegraph-win32-x64-msvc-2.5.35-dev.26434e2.tgz

Reproduction

mkdir /tmp/test && cd /tmp/test && npm init -y
npm install https://github.com/optave/codegraph/releases/download/dev-v2.5.35-dev.26434e2/optave-codegraph-2.5.35-dev.26434e2.tgz
# Main package installs OK

npm install https://github.com/optave/codegraph/releases/download/dev-v2.5.35-dev.26434e2/optave-codegraph-win32-x64-msvc-2.5.35-dev.26434e2.tgz
# Fails with: TypeError: Invalid Version:

Expected behavior

Both tarballs should install via npm install <url>.

Actual behavior

The native binary tarball fails with:

TypeError: Invalid Version:
    at new SemVer (semver/classes/semver.js:40:13)
    at compare (semver/functions/compare.js:5:32)
    at Object.eq (semver/functions/eq.js:4:29)
    at Node.canDedupe (@npmcli/arborist/lib/node.js:1123:32)

The error is in npm's arborist trying to compare versions during deduplication. It encounters an empty version string somewhere in the dependency tree.

Workaround

Manually download the tarball and extract it:

gh release download dev-v2.5.35-dev.26434e2 --repo optave/codegraph --pattern "*win32-x64*"
mkdir -p node_modules/@optave/codegraph-win32-x64-msvc
tar xzf optave-codegraph-win32-x64-msvc-2.5.35-dev.26434e2.tgz --strip-components=1 -C node_modules/@optave/codegraph-win32-x64-msvc

Note: any subsequent npm install will remove this manually-extracted package.

Root cause

Likely a version field issue in the published tarball's package.json, or an npm compatibility issue with the dev version format 2.5.35-dev.26434e2 (the .26434e2 part may not be valid semver prerelease — semver requires alphanumeric identifiers, and while 26434e2 is alphanumeric, npm's arborist may be parsing it differently).

Suggested fix

Ensure the native binary package version in the tarball follows strict semver prerelease format. Also consider if the main package's optionalDependencies should use a range instead of exact pin for dev builds.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdogfoodFound during dogfooding

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions