[RRFC] Do not publish when "engines" field has an invalid range

[fabiosantoscode]

Problem statement

It's possible to publish a package to npm, which cannot be installed by yarn due to an invalid "engines" field.

Background

Today I published Terser 5.3.6, and it included a change that specified which node versions are compatible with it, through the "engines" package.json field.

However, I was too careless and shipped an invalid version range ^10.0.0,^11.0.0,^12.0.0,>=14.0.0.

After I published, Terser users quickly opened issues and PRs saying they couldn't install the package using yarn.

Proposed solution

I believe that npm publish could have checked the engines.node field as well as engines.npm and made sure that it's a valid semver range.

If it's not a valid semver range, it would exit with a non-zero code.

$ npm publish || echo Fail
[...error message]
Fail

Conclusion

I take full responsibility for my dumb mistake, but I believe there could have been a mechanism in npm publish to stop me from publishing a package with an invalid version range.

[ljharb]

Mismatching engines never prevents installation by default in npm, unless the user has engine-strict enabled.

That said, more safety and validation as part of publishing seems like a great idea.

[fabiosantoscode]

To be honest I didn't verify it myself. I just saw a lot of comments on this issue: terser/terser#858 and rushed to fix the issue right away.

A lot of these comments mention yarn, so it might be yarn that's having problems with this.

[fabiosantoscode]

Ok, I verified that it's yarn. npm shows me a warning but still installs. I'll be correcting the issue text.