Non-version package specifiers don't work

[rotu]

Corepack rejects valid package specifiers which are not versions.

For instance the following are valid specifiers which are more specific than semver but which nevertheless are rejected by corepack:

• npm@github:npm/cli#c12ea07
• yarn@https://registry.npmjs.org/yarn/-/yarn-2.4.3.tgz

output:

corepack use yarn@https://registry.npmjs.org/yarn/-/yarn-2.4.3.tgz
Usage Error: Tag not found (https://registry.npmjs.org/yarn/-/yarn-2.4.3.tgz)

$ corepack use <pattern>

corepack install --global yarn@https://registry.npmjs.org/yarn/-/yarn-2.4.3.tgz
Internal Error: ENOENT: no such file or directory, stat '/Users/dan/Source/corepack/yarn@https:/registry.npmjs.org/yarn/-/yarn-2.4.3.tgz'
Error: ENOENT: no such file or directory, stat '/Users/dan/Source/corepack/yarn@https:/registry.npmjs.org/yarn/-/yarn-2.4.3.tgz'

[rotu]

Originally reported in #312 (comment)

[aduh95]

I think this is the documented behavior:

corepack/README.md

Lines 80 to 82 in fe3e5cd

	`[email protected]` is required. The hash is optional but strongly
	recommended as a security practice. Permitted values for the package manager are
	`yarn`, `npm`, and `pnpm`.

Should we close as Won't fix?

[arcanis]

I don't think we should support git repositories (they are very complex to clone / install / pack), but it'd imo be reasonable to allow arbitrary urls (either .tgz or .js). Can be useful for internal mirrors.

[merceyz]

but it'd imo be reasonable to allow arbitrary urls

As build metadata or in general?

I don't think we should allow using anything but name@semver as it would break and/or make it difficult for third party tools to check the field to see which version is in use.

[arcanis]

They could still easily call --version to know this information though.

[BuildBackBuehler]

I suppose this is a differing issue, but the man pages of corepack (node v21+) state one can also use

corepack install yarn@*

https://nodejs.org/api/corepack.html

To install the latest pnpm. That doesn't work for me. Neither does using * work inside my package.json. i.e.,

"packageManager": "pnpm@*"

I also tried latest or leaving out the version altogether and it wasn't accepted.

Edit: tried corepack install pnpm@latest – this worked & input what works for the package.json, hope that will take care of future updates, but I imagine that'll still require the manual update (just via corepack use pnpm@latest, which also works). For ref.
"packageManager": "[email protected]+sha256.487609e857f1c11780cc98dd0bfe4c8a8b11c7f23bc3a4493ac7d263d6fb6c8c"

[rotu]

I think there are two issues:

• yarn@* is probably being expanded by your shell and the version of the command without the global tag doesn't take a specifier. Try corepack use ‘yarn@*’ or corepack install -g ‘yarn@*’ instead.
• the package.json packageManager field does not take a package specifier - it only takes a resolved version.