Add version range auto-force to dlx-package

jdalton · jdalton · commit 151315da540f · 2025-10-23T08:12:03.000-04:00
Automatically force reinstall for version ranges to get latest within range:
- Detect range operators: ^, ~, &gt;, &lt;, =, x, X, *, spaces, ||
- Exact versions (1.0.0) use cache if available
- Range versions (^1.0.0) auto-force to get latest
- User can override with explicit force: false

Add 9 tests for version range detection covering all operator types.
diff --git a/src/dlx-package.ts b/src/dlx-package.ts
@@ -9,6 +9,11 @@
  * - Each unique spec gets its own directory: ~/.socket/_dlx/<hash>/
  * - Allows caching multiple versions of the same package
  *
+ * Version range handling:
+ * - Exact versions (1.0.0) use cache if available
+ * - Range versions (^1.0.0, ~1.0.0) auto-force to get latest within range
+ * - User can override with explicit force: false
+ *
  * Key difference from dlx-binary.ts:
  * - dlx-binary.ts: Downloads standalone binaries from URLs
  * - dlx-package.ts: Installs npm packages from registries
@@ -25,6 +30,12 @@ import { getSocketDlxDir } from './paths'
 import type { SpawnExtra, SpawnOptions } from './spawn'
 import { spawn } from './spawn'
 
+/**
+ * Regex to check if a version string contains range operators.
+ * Matches any version with range operators: ~, ^, >, <, =, x, X, *, spaces, or ||.
+ */
+const rangeOperatorsRegExp = /[~^><=xX* ]|\|\|/
+
 export interface DlxPackageOptions {
   /**
    * Package to install (e.g., '@cyclonedx/cdxgen@10.0.0').
@@ -182,14 +193,16 @@ function findBinaryPath(
  *
  * This is the Socket equivalent of npx/pnpm dlx/yarn dlx, but using
  * our own cache directory (~/.socket/_dlx) and installation logic.
+ *
+ * Auto-forces reinstall for version ranges to get latest within range.
  */
 export async function dlxPackage(
   args: readonly string[] | string[],
   options?: DlxPackageOptions | undefined,
   spawnExtra?: SpawnExtra | undefined,
 ): Promise<DlxPackageResult> {
   const {
-    force = false,
+    force: userForce,
     package: packageSpec,
     spawnOptions,
   } = { __proto__: null, ...options } as DlxPackageOptions
@@ -198,6 +211,12 @@ export async function dlxPackage(
   const { name: packageName, version: packageVersion } =
     parsePackageSpec(packageSpec)
 
+  // Auto-force for version ranges to get latest within range.
+  // User can still override with explicit force: false if they want cache.
+  const isVersionRange =
+    packageVersion !== undefined && rangeOperatorsRegExp.test(packageVersion)
+  const force = userForce !== undefined ? userForce : isVersionRange
+
   // Build full package spec for installation.
   const fullPackageSpec = packageVersion
     ? `${packageName}@${packageVersion}`
diff --git a/test/dlx-package.test.ts b/test/dlx-package.test.ts
@@ -304,4 +304,64 @@ describe('dlx-package', () => {
       expect(hash).toHaveLength(16)
     })
   })
+
+  describe('version range detection', () => {
+    const rangeOperatorsRegExp = /[~^><=xX* ]|\|\|/
+
+    it('should detect caret ranges', () => {
+      expect(rangeOperatorsRegExp.test('^1.0.0')).toBe(true)
+      expect(rangeOperatorsRegExp.test('^11.0.0')).toBe(true)
+    })
+
+    it('should detect tilde ranges', () => {
+      expect(rangeOperatorsRegExp.test('~1.0.0')).toBe(true)
+      expect(rangeOperatorsRegExp.test('~11.7.0')).toBe(true)
+    })
+
+    it('should detect greater than ranges', () => {
+      expect(rangeOperatorsRegExp.test('>1.0.0')).toBe(true)
+      expect(rangeOperatorsRegExp.test('>=1.0.0')).toBe(true)
+    })
+
+    it('should detect less than ranges', () => {
+      expect(rangeOperatorsRegExp.test('<2.0.0')).toBe(true)
+      expect(rangeOperatorsRegExp.test('<=2.0.0')).toBe(true)
+    })
+
+    it('should detect wildcard ranges', () => {
+      expect(rangeOperatorsRegExp.test('1.0.x')).toBe(true)
+      expect(rangeOperatorsRegExp.test('1.0.X')).toBe(true)
+      expect(rangeOperatorsRegExp.test('1.0.*')).toBe(true)
+    })
+
+    it('should detect complex ranges', () => {
+      expect(rangeOperatorsRegExp.test('>1.0.0 <2.0.0')).toBe(true)
+      expect(rangeOperatorsRegExp.test('>=1.0.0 <=2.0.0')).toBe(true)
+      expect(rangeOperatorsRegExp.test('1.0.0 || 2.0.0')).toBe(true)
+    })
+
+    it('should not detect exact versions', () => {
+      expect(rangeOperatorsRegExp.test('1.0.0')).toBe(false)
+      expect(rangeOperatorsRegExp.test('11.7.0')).toBe(false)
+      expect(rangeOperatorsRegExp.test('0.0.1')).toBe(false)
+    })
+
+    it('should not detect versions with prerelease tags', () => {
+      expect(rangeOperatorsRegExp.test('1.0.0-alpha')).toBe(false)
+      expect(rangeOperatorsRegExp.test('1.0.0-beta.1')).toBe(false)
+      expect(rangeOperatorsRegExp.test('1.0.0+build.123')).toBe(false)
+    })
+
+    it('should handle packages with x in name correctly', () => {
+      // Note: Regex matches 'x' character anywhere, but in real usage
+      // we only test the version string, not the package name.
+      // Package name '@cyclonedx/cdxgen' contains 'x' which would match,
+      // but this is fine because we parse name and version separately.
+      expect(rangeOperatorsRegExp.test('cyclonedx')).toBe(true) // Contains 'x'.
+      expect(rangeOperatorsRegExp.test('express')).toBe(true) // Contains 'x'.
+
+      // In practice, we only test version strings.
+      expect(rangeOperatorsRegExp.test('1.2.3')).toBe(false) // Exact version, no 'x'.
+    })
+  })
 })
