There is a flaw in the VERSION-RANGE-SPEC

[pstray]

There is a logical flaw in VERSION-RANGE-SPEC, as there is only an OR-operator for ranges. At least for npms semvers there should be an AND operator.

One of the examples:
vers:npm/1.2.3|>=2.0.0|<5.0.0

This would essentially parse to every version, as everything mathes less than 5.0.0 or greater or equal to 2.0.0

Following the npm semver spec (https://github.com/npm/node-semver#ranges) this would have been written as:

1.2.3 || >=2.0.0 <5.0.0

Parsing to either 1.2.3 or (greater or equal to 2.0.0 AND less than 5.0.0)

That AND operator seem to have gotten lost on the way...

[pombredanne]

@pstray late to reply, but still replying!

re:

That AND operator seem to have gotten lost on the way...

Actually this was not lost at all. This was intentionally not added.

The range is defined as intervals on the code timeline, with 1.2.3, 2.0.0, 5.0.0 as your signposts here. 🚩

From the spec:

This list of are signposts in the version timeline of a package that specify version intervals.

A satisfies a version range specifier if it is contained within any of the intervals defined by these .

So here vers:npm/1.2.3|>=2.0.0|<5.0.0 defines these intervals:

..... 1.2.3 ..... 2.0.0 ..... 5.0.0 .....
out in out in in out out

... which would parse effectively to what you expected: either 1.2.3 or (greater or equal to 2.0.0 AND less than 5.0.0)

I hope this make sense.