How does NPM choose the version of ember-source to install?

Currently, the latest non-beta release of Ember is 3.18.1- see the Ember changelog.

My package.json file lists the following for ember-source:

"ember-source": "^3.12.0",

When I run npm install, v3.16.0 of ember-source is installed, confirmed both in Ember Inspector and package-lock.json, which seems to be a departure from NPMs standard implementation of semver.

If I use PNPM by running pnpm install instead, it installs v3.18.1 of Ember source. This actually seems to follow the standard implementation of semver.

What exactly causes NPM to install v3.16.0, instead of 3.18.1?

My guess is that it has something to do with NPM picking a package that resolves to all the ember-source dependencies of your other packages? You could probably scan through your package lockfile and see what all requires ember-source and what versions.

FWIW though I would recommend against using ^ versions for most/all ember dependencies. There can be very big changes/deprecations, and it can also break interop with 3rd party packages. You also don’t catch blueprint changes, etc when “upgrading” this way. The defaults for those packages are ~ tilde versions, and I would recommend keeping that and using ember-cli-update to update any of the ember dependencies.

Interesting, thank you. Agreed on avoiding ^ versions as a general rule.

confirmed both in Ember Inspector and package-lock.json

To clarify, does it say 3.16 in your package-lock.json before running npm install, or only after?

(Because if before, that is the whole point of package-lock.json.)

My guess is that it has something to do with NPM picking a package that resolves to all the ember-source dependencies of your other packages?

NPM is not that smart and doesn’t attempt to optimize in that way.

With no lockfile and no preexisting node_modules directory, ^3.12.0 should reliably result in 3.18.1 right now. I just tested and got that result. If you have a lockfile or already have a node_modules directory present, that can influence the outcome.

@ef4 quite right. After reading your response, I dug deeper and found that pnpm does not use package-lock.json, hence my confusion.