Is npm install package@latest stable or does it also include alpha/beta version?

Question

I just want some confirmation as I've always been using @latest for a while with my packages and want to know if I'm really installing a stable version or can possibly install a alpha/beta version of the package.

I'm pretty sure this is meant for stable versions as they tell you to install@latest for npm (unless it's special syntax like npm start).

The more I think about it, the more paranoid I get, any confirmation would be greatly appreciated. :)

Answer 1

Using npm install <pkg>@latest is equivalent to using npm install <pkg> by itself or listing * as the dependency version in package.json. npm documents this here:

npm install will use the latest tag by default.

So in practical terms, latest is semantically equivalent to stable.

However, if a prerelease version of a package is published to npm without specifying a prerelease tag such as --beta or --rc, that version becomes the latest by default:

By default, npm publish will tag your package with the latest tag.

As a result, it's possible to mess up and publish a prerelease version that will be installed by default. This happened to Bootstrap in late 2015.

This article from early 2016 by Mike Bostock explains how even specifying alpha or beta as part of the version number won't prevent npm from making that version the latest.

So unfortunately if you want to be certain that you get only stable versions, you need to monitor this manually or trust the package developers to always specify a prerelease tag for non-stable versions.

You can also view the tags assigned for a package like this:

$ npm view express dist-tags
{ latest: '4.16.2', rc: '4.0.0-rc4' }